what is one of the biggest
leaks of email addresses in recent history, a group called Goatse Security
has published the personal email addresses of 114,067 iPad
3G purchasers according to Gawker.
The email addresses were obtained in what appears to be a legal fashion by
querying a public interface that AT&T accidentally left
exposed.The names of victims immediately draw attention to
the story. Among them are New York Times Co. CEO Janet
Robinson, Diane Sawyer of ABC News, film mogul Harvey Weinstein, New
York City Mayor Michael Bloomberg, and even White House Chief of
Staff Rahm Emanuel. A number of CEOs, CFOs, and CTOs also had
their email addresses exposed by the leak.Additionally, a number of
the email addresses exposed were from high-ranking military officials
or DARPA researchers. Among these was William Eldredge, who
"commands the largest operational B-1 [strategic bomber] group
in the U.S. Air Force."Every one of these individuals
and thousands of other everyday people had their email addresses and
corresponding ICC-IDs (integrated
circuit card identifiers) leaked. The ICC-ID is a number
used to uniquely identify SIM cards for a particular subscriber's
device.How did Goatse get this treasure trove of data?
Apparently AT&T left a script on their public website, which when
handed an ICC-ID would respond back with the email address of the
subscriber. This apparently was intended for an AJAX-style
response inside AT&T's web apps. The complete
lack of protections allowed the group to freely guess ICC-IDs based
on known IDs from iPad pictures posted online, and in turn harvest
the resulting email addresses. The only "trick", if you could
call it that, which they had to do was to spoof the site into
thinking they were using a iPad browser by adding an iPad-style "User
agent" header in their Web request.A simple PHP script
later, Goatse Security had a hoards of email addresses to sift through.
And here's the kicker -- before reporting this gaping hole to AT&T,
they shared the exploit with various interested parties. So
there's no telling who else used it, how many more IDs were leaked,
or what other damage could have resulted.With the ICC-ID and
unique email in hand, malicious parties could easily launch mass
attacks to try to gain further access. For example, it's likely
that at least one of those email addresses with the password "darthvader"
would return account access.This huge breach is likely
worrisome to those who are thinking of buying an iPad 3G – most
people would prefer their personal email address not get
shared with the masses. The only consolation here, is that if
your password is sufficiently strong and your email address does not
hint at your identity, the leak might not be that big a deal (other
than subjecting you to a bit of extra spam).Apple, which has
already hinted at its displeasure
with AT&T on certain issues, certainly can't be thrilled
about this development either. It releases a hit new product,
and now thanks to the service provider over a hundred thousand of its
customers have had their personal information compromised. Apple CEO Steve Jobs surely won't rest until AT&T's gaping hole is filled, but by now the damage is probably already done. One thing's for sure. There's going to be a
lot of fallout from
this incredible breach.
Updated: 6:35 p.m. June 9, 2010-
We just received the following official statement from an AT&T spokesperson:
AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC IDS. The only information that can be derived from the ICC IDS is the e-mail address attached to that device. This issue was escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the e-mail addresses. The person or group who discovered this gap did not contact AT&T. We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained. At this point, there is no evidence that any other customer information was shared. We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted.
quote: The article makes no mention of Goatse Security beyond stating they broadcast the personal emails of tons of people, many of whom are members of the federal government.