iPad 3G customers may soon be getting a lot
more spam. Last week, security analysts with Goatse
Security exploited AT&T's overly permissive web
interface to obtain
114,000 email addresses of iPad 3G buyers, including a host of
A-list politicians, military officials, business chiefs, and
celebrities. Goatse Security previously indicated that it may
have disclosed the flaw to interested third parties before it was
closed, raising the likelihood that malicious parties may have
harvested iPad owners' emails for spamming or other ill purposes.On
Sunday, AT&T’s VP of public policy and Chief Privacy Officer
Dorothy Attwood today sent out an apology
email to all of AT&T’s iPad 3G data plan
subscribers.In the email Attwood writes, "We apologize
for the incident and any inconvenience it may have caused. Rest
assured, you can continue to use your AT&T 3G service on you iPad
with confidence."Later in the email, AT&T warns
customers to be on the lookout for new spam emails. They write,
"While the attack was limited to email addresses and ICC-ID
data, we encourage you to be alert to scams that could attempt to use
this information to obtain other data or send you unwanted email.
You can learn more about phishing by visiting the AT&T
website."One interesting thing about the letter is its
characterization of the Goatse Security analysts as "hackers"
and the breach as an "attack". AT&T also writes
in a letter that the attack was "malicious", despite the
fact that Goatse Security purportedly informed AT&T of the
hole.AT&T is cooperating with the Federal Bureau of
Investigation to investigate
the breach. The investigation could yield criminal charges
against the Goatse Security analysts, if they reside in the U.S.
In AT&T's letter it says that it does not tolerate leaking of
personal information and will "prosecute violators to the
fullest extent of the law."In the case of Goatse
Security, one thing that may hinder criminal charges is just how easy
to find the information was. The only "hack" of any
sort Goatse Security had to engage in was to send AT&T's web
application a request header that looked like it came from an iPad.
Sending fake request headers is nothing new, and not particularly
illegal. For example, many smartphones have the option to set
your request header to either indicate you're on mobile phone, or to
spoof websites to think you're on a PC and display the normal
website.With the easy-to-make iPad header in place, Goatse
ran an extremely simple PHP script to guess a variety of ICC-ID
numbers and store the resulting emails. Harvesting private
information that's accidentally exposed is a gray area of the law
info is obviously a crime, though, under various laws, such as
anti-spamming legislation). Since Goatse did not break into
password-protected systems or conduct any sort of serious attack on
AT&T's servers, it's hard to say whether AT&T and the FBI
will be able to successfully prosecute the team.Goatse
Security has issued a response, in which it argues that iPad owners
had a right to know about this security flaw and that it did nothing
wrong. It writes:
disclosure needed to be made. iPad 3G users had the right to know
that their email addresses were potentially public knowledge so they
could take steps to mitigate the issue (like changing their email
address). This was done in service of the American public. Do you
really think corporate privacy breaches should stay indefinitely
secret? I don’t. If you’re potentially on a list of exploit
targets because someone has an iPad Safari vulnerability and they
scraped you in a gigantic list of emails it is best that you are
informed of that sooner than later (after you’ve been successfully
exploited). We did this to help you.
thing that could complicate prosecution is that the Goatse team
appears to at least be partially be based out of France.
A WhoIS lookup on
the domain (security.)goatse.fr reveals that it is hosted by a French registrar by the name of "GANDI" which resides in Paris (the company's contact
email and phone number appear to be included in the registration).
Gandi's website can be found here and
appears to offer hosting and security services.Combining
information provided by the team page on the Goatse Security site and
simple Google name searches, we discovered that a couple of the team
members indeed reside in the U.S.
--Escher Auernheimer (Calif.), Christopher
Abad (Calif.). Others -- such as Sam
Hocevar (France) -- reside outside the country.
quote: I'd fine AT&T $1000 per email released because of their incompetent security policies.