Valleywag’s Ryan Tate breaks the news of a massive security breach that would render at least 114,000 iPad 3G subscribers vulnerable to hacking and spam, among them New York City Mayor Mike Bloomberg, ABC News anchor Diane Sawyer, and apparently even Rahm Emanuel, the White House chief of staff.
While this particular breach is fortunately not going to impact anyone’s security in a meaningful way — it was carried out by a white hat group charmingly called “Goatse Security,” who promptly notified AT&T after they exposed the vulnerability, causing AT&T to close the security hole — it highlights the sloppiness with which AT&T has been handling iPad customers’ data, and serves as a cautionary tale that “Apple” and “security” are not as inextricably linked as many MacHeads think.
Valleywag explains the nuts and bolts of the exploit:
Goatse Security obtained its data through a script on AT&T’s website, accessible to anyone on the internet. When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an AJAX-style response within a Web application. The security researchers were able to guess a large swath of ICC IDs by looking at known iPad 3G ICC IDs, some of which are shown in pictures posted by gadget enthusiasts to Flickr and other internet sites, and which can also be obtained through friendly associates who own iPads and are willing to share their information, available within the iPad “Settings” application.
To make AT&T’s servers respond, the security group merely had to send an iPad-style “User agent” header in their Web request. Such header identify users’ browser types to websites.
The group wrote a PHP script to automate the harvesting of data. Since a member of the group tells us the script was shared with third-parties prior to AT&T closing the security hole, it’s not known exactly whose hands the exploit fell into and what those people did with the names they obtained. A member tells us it’s likely many accounts beyond the 114,000 have been compromised.
Valleywag‘s got the full, must-read scoop.
Have a tip we should know? email@example.com