Register for an account


Enter your name and email address below.

Your email address is used to log in and will not be shared or sold. Read our privacy policy.


Website access code

Enter your access code into the form field below.

If you are a Zinio, Nook, Kindle, Apple, or Google Play subscriber, you can enter your website access code to gain subscriber access. Your website access code is located in the upper right corner of the Table of Contents page of your digital edition.


AT&T Security Hole Let Hackers Steal Personal Info From Famous iPad Users

80beatsBy Andrew MosemanJune 10, 2010 7:22 PM


Sign up for our email newsletter for the latest science news

The hack that stole the email addresses of iPad users wasn't even a hack in the truest sense, security experts are saying today. The Goatse Security team that pulled off the feat simply overpowered bad software. The story broke yesterday that a leak in AT&T's security had given away the email addresses of more than 100,000 people, including some of the famous and influential who were first to adopt the tablet—Diane Sawyer, New York Mayor Mike Bloomberg, and even White House Chief of Staff Rahm Emanuel.

The specific information exposed in the breach included subscribers' email addresses, coupled with an associated ID used to authenticate the subscriber on AT&T's network, known as the ICC-ID. ICC-ID stands for integrated circuit card identifier and is used to identify the SIM cards that associate a mobile device with a particular subscriber [Gawker].

The Praetorian Security Group, which got a copy of the script used to grab e-mail addresses from AT&T's servers, says that it didn't take a sophisticated hack to steal those email address, just a brute force attack:

"There's no hack, no infiltration, and no breach, just a really poorly-designed Web application that returns e-mail address when ICC-ID is passed to it," Praetorian said in a late Wednesday entry on its security blog [Computer World].

Happily for the aggrieved iPad users, the stolen info included only email addresses and not credit card or social security numbers. AT&T says it has fixed the issue and will notify anyone whose address was stolen. Interestingly, though, Goatse didn't exactly play by the rules of white hat hacking here.

The true motive behind Goatse Security exposing this information is unknown. Had the group followed generally accepted vulnerability disclosure ethics, it would have contacted AT&T directly to notify them of the flaw, and allowed AT&T a reasonable amount of time to respond to the issue before announcing the discovery. And, of course, an ethical disclosure would not include exposing the compromised data. Perhaps Goatse Security simply wanted to embarrass AT&T or Apple [PC World].

Related Content: Discoblog: DISCOVER’s iPad Arrived Early… And It’s AWESOME

80beats: Apple’ iPad Tablet: It’s Here, It’s Cool, and It’s Slightly Cheaper Than Expected

80beats: iPad Arrives: Some Worship It, Some Critique It, HP Tried To Kill It

80beats: Report: Chinese Hackers Stole Indian Missile Secrets & The Dalai Lama's Email

Image: Apple

3 Free Articles Left

Want it all? Get unlimited access when you subscribe.


Already a subscriber? Register or Log In

Want unlimited access?

Subscribe today and save 70%


Already a subscriber? Register or Log In