We have completed maintenance on DiscoverMagazine.com and action may be required on your account. Learn More

AT&T Security Hole Let Hackers Steal Personal Info From Famous iPad Users

By Andrew Moseman
Jun 10, 2010 7:22 PMNov 20, 2019 12:58 AM


Sign up for our email newsletter for the latest science news

The hack that stole the email addresses of iPad users wasn't even a hack in the truest sense, security experts are saying today. The Goatse Security team that pulled off the feat simply overpowered bad software. The story broke yesterday that a leak in AT&T's security had given away the email addresses of more than 100,000 people, including some of the famous and influential who were first to adopt the tablet—Diane Sawyer, New York Mayor Mike Bloomberg, and even White House Chief of Staff Rahm Emanuel.

The specific information exposed in the breach included subscribers' email addresses, coupled with an associated ID used to authenticate the subscriber on AT&T's network, known as the ICC-ID. ICC-ID stands for integrated circuit card identifier and is used to identify the SIM cards that associate a mobile device with a particular subscriber [Gawker].

The Praetorian Security Group, which got a copy of the script used to grab e-mail addresses from AT&T's servers, says that it didn't take a sophisticated hack to steal those email address, just a brute force attack:

"There's no hack, no infiltration, and no breach, just a really poorly-designed Web application that returns e-mail address when ICC-ID is passed to it," Praetorian said in a late Wednesday entry on its security blog [Computer World].

Happily for the aggrieved iPad users, the stolen info included only email addresses and not credit card or social security numbers. AT&T says it has fixed the issue and will notify anyone whose address was stolen. Interestingly, though, Goatse didn't exactly play by the rules of white hat hacking here.

The true motive behind Goatse Security exposing this information is unknown. Had the group followed generally accepted vulnerability disclosure ethics, it would have contacted AT&T directly to notify them of the flaw, and allowed AT&T a reasonable amount of time to respond to the issue before announcing the discovery. And, of course, an ethical disclosure would not include exposing the compromised data. Perhaps Goatse Security simply wanted to embarrass AT&T or Apple [PC World].

Related Content: Discoblog: DISCOVER’s iPad Arrived Early… And It’s AWESOME

80beats: Apple’ iPad Tablet: It’s Here, It’s Cool, and It’s Slightly Cheaper Than Expected

80beats: iPad Arrives: Some Worship It, Some Critique It, HP Tried To Kill It

80beats: Report: Chinese Hackers Stole Indian Missile Secrets & The Dalai Lama's Email

Image: Apple

1 free article left
Want More? Get unlimited access for as low as $1.99/month

Already a subscriber?

Register or Log In

1 free articleSubscribe
Discover Magazine Logo
Want more?

Keep reading for as low as $1.99!


Already a subscriber?

Register or Log In

More From Discover
Recommendations From Our Store
Shop Now
Stay Curious
Our List

Sign up for our weekly science updates.

To The Magazine

Save up to 40% off the cover price when you subscribe to Discover magazine.

Copyright © 2024 Kalmbach Media Co.