In association with heise online

10 June 2010, 16:04

AT&T lets 114,000 email addresses of iPad owners leak out

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Hackers have managed to exploit a vulnerability on a web server of the US operator AT&T to gain the email addresses of more than 100,000 iPad owners. In a report in the Valleywag blog, there are numerous prominent early adopters on the list, including leading employees for large media companies, politicians, business leaders, scientists and William Eldridge, the commander of the largest B1 bomber squadron in the US Air Force.

However It is unlikely that iPad owners will be exposed to increased spam and virus mails as a consequence of the attack because the hacker group, Goatse Security who carried it out, have not published the list and AT&T have now closed the hole. The attack does put AT&T in a worsening light as it is already under fire because of changes to its pricing policies and poor service for consumers. AT&T has officially confirmed the gap existed, but says that only email addresses have been acquired and passed around. The New York Times has, according to another report in Valleywag, told employees not to use the 3G network capabilities of the iPad while the issue is being investigated and resolved. Apple has, so far, not officially responded to the reports.
Zoom The Apple iPad.

To get the email addresses, the hackers took advantage of a home grown PHP script, which sent ICC IDs from SIM's to the AT&T server. When a valid ICC ID was sent, the AT&T server responded with an email address. The server was expecting to be called by an application on the iPad to speed up logging into an AT&T bill management service as part of an AJAX styled query.

Valid ICC IDs were obtained by the group through examining published photos of iPad SIM cards on sites such as Flickr. Using these IDs, the script then incremented or decremented the value to find other IDs. The only hurdle in the attack was that the server would respond only when the user agent in the HTTP request included the iPad, which was accomplished with only one line of code. Whether knowledge of a valid ICC ID can serve as a starting point for further attacks is a question that experts are currently debating.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit