The hack that stole the email addresses of iPad users wasn't even a hack in the truest sense, security experts are saying today. The Goatse Security team that pulled off the feat simply overpowered bad software. The story broke yesterday that a leak in AT&T's security had given away the email addresses of more than 100,000 people, including some of the famous and influential who were first to adopt the tablet—Diane Sawyer, New York Mayor Mike Bloomberg, and even White House Chief of Staff Rahm Emanuel.
The specific information exposed in the breach included subscribers' email addresses, coupled with an associated ID used to authenticate the subscriber on AT&T's network, known as the ICC-ID. ICC-ID stands for integrated circuit card identifier and is used to identify the SIM cards that associate a mobile device with a particular subscriber [Gawker].
The Praetorian Security Group, which got a copy of the script used to grab e-mail addresses from AT&T's servers, says that it didn't take a sophisticated hack to steal those email address, just a brute force attack:
"There's no hack, no infiltration, and no breach, just a really poorly-designed Web application that returns e-mail address when ICC-ID is passed to it," Praetorian said in a late Wednesday entry on its security blog [Computer World].
Happily for the aggrieved iPad users, the stolen info included only email addresses and not credit card or social security numbers. AT&T says it has fixed the issue and will notify anyone whose address was stolen. Interestingly, though, Goatse didn't exactly play by the rules of white hat hacking here.
The true motive behind Goatse Security exposing this information is unknown. Had the group followed generally accepted vulnerability disclosure ethics, it would have contacted AT&T directly to notify them of the flaw, and allowed AT&T a reasonable amount of time to respond to the issue before announcing the discovery. And, of course, an ethical disclosure would not include exposing the compromised data. Perhaps Goatse Security simply wanted to embarrass AT&T or Apple [PC World].
Related Content: Discoblog: DISCOVER’s iPad Arrived Early… And It’s AWESOME