A hacking group has obtained the e-mail addresses of 114,000 owners of 3G iPads by exploiting a security hole on AT&T’s Web site, according to a report by Gawker.
The group also obtained the identification number that those iPads use when they communicate over AT&T’s network, known as an ICC-ID. It is not clear what that information could be used for.
According to Gawker, which was given a copy of the list of e-mail addresses, it includes military personnel, staff members in the Senate and the House of Representatives, and people at the Justice Department, NASA and the Department of Homeland Security. Private-sector addresses that were exposed include those of executives at the New York Times Company, Dow Jones, Condé Nast, Viacom, Time Warner, the News Corporation, HBO and Hearst, along with bankers and venture capitalists.
The hacking group, Goatse Security, found that a program on AT&T’s Web site, when given an iPad’s ID number, would return the owner’s e-mail address. It used a script that could guess IDs and collect the associated e-mail addresses. The group eventually notified AT&T of the breach, and the security hole was closed.
- Information Leakage: the customer's e-mail address is exposed by the web application on AT&T's website when sent a valid ICC-ID as part of an HTTP request. Why would the e-mail need to be sent back to an iPad? Who knows.
- Insufficient Anti-Automation: once the leakage was discovered, Goatse Security created a custom PHP script which was used to "semi-smartly" brute force the AT&T page in an attempt to find valid ICC-IDs and thus harvest their associated e-mail addresses. Leading to the discovery of 114,000 ICC-IDs and e-mails.