AT&T has blocked access to a feature on its website that revealed the email addresses of at least 114,000 iPad users.
Gawker.com reported that it is possible that confidential information about every iPad 3G owner in the US has been exposed, including thousands of A-listers in finance, politics and media, from New York Times CEO Janet Robinson to Diane Sawyer of ABC News to film mogul Harvey Weinstein to New York Mayor Michael Bloomberg.
It claimed that although the security vulnerability was confined to AT&T servers, Apple bears responsibility for ensuring the privacy of its users, who must provide the company with their email addresses to activate their iPads.
The subscriber data was obtained by a group calling itself Goatse Security, who pointed the details of the hack back to Gawker. It reported that Goatse obtained its data through a script on AT&T's website that was accessible to anyone on the internet.
When provided with a ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an AJAX-style response within a web application. The security researchers were able to guess a large swath of ICC-IDs by looking at known iPad 3G ICC-IDs. To make AT&T's servers respond, the security group merely had to send an iPad-style ‘user agent' header in their web request. Such headers identify users' browser types to websites.
The group wrote a PHP script to automate the harvesting of data and since a member of the group told Gawker that the script was shared with third-parties prior to AT&T closing the security hole, it is not known exactly whose hands the exploit fell into and what those people did with the names they obtained. One member of the group told Gawker that it was likely that many accounts beyond the 114,000 have been compromised.
A blogger known as the IT security guy said: “AT&T said that it has already closed the whole, but the question remains of why they stored such information on a publicly accessible website in the first place.
“While stolen email addresses by themselves aren't of much use, other than to add to spam mailing lists, the hacking group, Goatse, was also able to get the ICC-ID of iPads. The ICC-ID is a unique identification number for the iPad. AT&T denied the ICC-ID could be used for anything other than getting an email address, but some security experts cautioned it could still possibly lead to finding the device's location.”
Boaz Gelbord, executive director of information security at Wireless Generation and founder of Security Scoreboard, said: “Email addresses can be changed. But the leak also exposed something called the ICC-ID, a number that uniquely identifies a device's SIM card. At the time of writing there is still no official announcement on what is going to happen with the leaked identifiers.
“My guess is that they can't be reliably changed without a manual recall. This raises privacy concerns for the affected users, since ICC-IDs are relatively liberally shared during the course of network communications.
“But in the end it doesn't really matter. Using an iPad or an iPhone already binds your personal information to your web traffic in a much deeper way than your old-fashioned Mac or PC.
“After all, most iPhones are full of apps that tie your real actual personal data - your name, credit card, address, etc to your device. iTunes works the same way. And unlike a full-blown computer, iPhones and iPads afford very little GUI control of what is happening in the background. You could of course gain control through jailbreaking. But that's not the MO of 99 per cent of users, and violates the terms of service to boot.”
Ron Gula, CEO of Tenable Network Security, claimed that any failure on AT&T's part was due to a lack of monitoring and alerting when the brute force queries began. He said: “AT&T may have had the world's best patching and security program and this box may have resisted penetration attempts from the best tools and attackers.
“However, the web service exploited to obtain the iPad user emails worked by design. If there was any failure on AT&T's part it was a lack of monitoring and alerting when the brute force queries began or not conducting a detailed enough risk assessment.”