News that vulnerabilities on the AT&T network allowed a group calling itself Goatse Security to harvest emails and AT&T authentication IDs of 114,000 early-adopters of Apple’s iPad shocked potential victims.
Goatse Security has a history of warning about security vulnerabilities, and they managed to get their hands on the data by using a script on the AT&T’s website.
“When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an AJAX-style response within a Web application. The security researchers were able to guess a large swath of ICC IDs by looking at known iPad 3G ICC IDs, some of which are shown in pictures posted by gadget enthusiasts to Flickr and other internet sites, and which can also be obtained through friendly associates who own iPads and are willing to share their information, available within the iPad “Settings” application,” reports Gawker. “To make AT&T’s servers respond, the security group merely had to send an iPad-style “User agent” header in their Web request.”
They also devised a PHP script that harvested the data automatically (made public by Praetorian Prefect).
They eventually notified AT&T of the vulnerability, but not before sharing the script with people outside their group – making it likely that other accounts beside the 114,000 confirmed by Goatse have been compromised.
But, what really made this news reverberate throughout the world is the fact that among the massive number of compromised accounts and email addresses, were those of many a military official, top politician, CEO and media mogul. To name just a few: top executives at New York Times Company, Dow Jones, CondÃ© Nast, Time Warner, HBO and other media companies; accounts at Google, Amazon, Microsoft and AOL; accounts at financial institutions and venture capital and private equity firms. Many accounts seemingly belonging to a number of staffers in Senate, Department of Justice, DHS, and others state and federal institutions were also compromised, including one that looks like it belongs to White House Chief of Staff Rahm Emanuel:
Consequences of this breach may range from those email accounts being inundated with spam to device spoofing on the network or even traffic interception using the compromised authentication ID – the jury is still out on all the possible ramifications.
What is sure is that this breach will reflect very poorly on AT&T and on Apple, since AT&T is, so far, the only mobile carrier that iPad 3G users can use.