Print 36 comment(s) - last by lukasbradley.. on Jun 17 at 11:33 AM

Apple's Safari has gone wrong on the iPad, says Goatse Security, which says that .  (Source: Warner Brothers)

The flaw could be used to target attacks on corporate networks which bypass firewall protections.  (Source: My Bank Tracker)
Group says Apple and AT&T are threatening national security and customers with their negligence

You've just conducted perhaps the biggest info leak in AT&T's recent history, you're under FBI investigation, and you have Apple and AT&T breathing down your necks.  What do you do next?

Well if you're Goatse Security, which prides itself at making "gaping holes exposed" (which happens to be its slogan),  the answer is apparently to discuss more attacks on the iPad.

In response to AT&T's claim that the security researchers at Goatse Security were "malicious" "hackers" who "attacked" AT&T's servers, Goatse has issued the second emphatic response in just a couple days, arguing that AT&T and Apple are doing too little to protect iPad customers from harm

Goatse Security's Escher Auernheimer writes that the ICC-IDs garnered by freely querying AT&T's website could be used to determine iPad owners' locations.

Furthermore, Auernheimer says the exploit in Apple's Safari browser he published in March has not been patched on the iPad yet and could be combined with the ICC-ID data to perform targeted attacks.  The exploit uses an integer overflow exploit, which gives access to proxy connections over banned ports, allowing all sorts of ill purposes including spewing spam and malware deliveries to locally networked machines.

Goatse Security calls AT&T's delay in publishing notice to its customers about the website flaw, after it was fixed last week, unacceptable.  It writes:

AT&T had plenty of time to inform the public before our disclosure. It was not done. Post-patch, disclosure should be immediate– within the hour. Days afterward is not acceptable. It is theoretically possible that in the span of a day (particularly after a hole was closed) that a criminal organization might decide to use an old dataset to exploit users before the users could be enlightened about the vulnerability.

And it says Apple and AT&T are engaging in more of the same with the Safari flaw.  It writes:

The potential for this sort of attack and the number of iPad users on the list we saw who were stewards of major public and commercial infrastructure necessitated our public disclosure. People in critical positions have a right to completely understand the scope of vulnerability immediately. Not days or weeks or months after potential intrusion.

If Apple and AT&T do not patch this flaw and fast, the iPad could soon become the tool of choice for attacking corporate networks.  All you would have to do is gain access to the network itself (which can be accomplished via a variety of techniques either social engineering or otherwise) and then jump on and carry out attacks -- bypassing all firewall protections.  Even better yet, imagine if you were on site -- you could easily snatch someone's iPad lying around their office and use its preconfigured wireless to wreak havoc on local networks, without even needing to gain network access.

Goatse Security is arguing that it's doing nothing wrong and is doing the public a service with its announcements.  It says it is the negligence of Apple and AT&T that is a threat, both to customers and to national security.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

By R3T4rd on 6/16/2010 4:10:44 AM , Rating: 2
Um, I think what Jason was getting to is that if you can get ur hands on a Laptop within a company's network, ur most likely locked out. Most standard users and accounts that are wide open logged-in at said company have limited power and cannot do anything much. Even CEO's and High Mgmnt have just a tad bit more power than your typical UCA type accounts. However, playing devil's advocate, if you were able to get ur hands on one of the System Administrator's or IT Tech's Laptop for said company with his/her logon already intact, thats a different story.

An iPad on the other hand, with so many flaws and open security holes like the stary night sky, is differnt. If you can steal one in said company's network and it had access to said company's network, is more susceptible to being able to be hacked into and used as a tool to hack into said company's network. I don't even think the iPad being based on the iPhone's OS, has any security layers like a UCA type.

It just goes to show you why Apple will never gain enterprise acceptability. Why would some companies and even our elected moronic leaders even use any Apple products is beyond my comprehension.

By muhahaaha on 6/16/2010 10:51:21 AM , Rating: 2
"It seems as though my state-funded math degree has failed me. Let the lashings commence." -- DailyTech Editor-in-Chief Kristopher Kubicki

Most Popular ArticlesAre you ready for this ? HyperDrive Aircraft
September 24, 2016, 9:29 AM
Leaked – Samsung S8 is a Dream and a Dream 2
September 25, 2016, 8:00 AM
Yahoo Hacked - Change Your Passwords and Security Info ASAP!
September 23, 2016, 5:45 AM
A is for Apples
September 23, 2016, 5:32 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki