114,000 iPad users hacked via AT&T

To me this comes as no real surprise, as I’m sure some of you know that there was an upward of 2 million iPads sold in the last 24 hours (ok I’m joking). It has been revealed by Gawker that an estimated 114,067 Apple iPads were hacked into via good old At&t.

The reported hack supposedly comes from Goatse Security, as they were able to literally violate At&t’s servers and get there grubby hands on private and confidential user information. The breach has affected about 114,067 people and who knows how many more to come. The ironic thing here is that the “hole” was patched up by At&t only after Goatse let At&t know. It is reported that some of the victims in this saga were, or are high ranking military and government personnel and even some fortune 500 CEOs were affected by this amazing feat of security failure.

According to Gawker here is how it was done;

“When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an AJAX-style response within a Web application. The security researchers were able to guess a large swath of ICC IDs by looking at known iPad 3G ICC IDs, some of which are shown in pictures posted by gadget enthusiasts to Flickr and other internet sites, and which can also be obtained through friendly associates who own iPads and are willing to share their information, available within the iPad “Settings” application”.

“To make AT&T’s servers respond, the security group merely had to send an iPad-style “User agent” header in their Web request. Such headers identify users’ browser types to websites”.

“The group wrote a PHP script to automate the harvesting of data. Since a member of the group tells us the script was shared with third-parties prior to AT&T closing the security hole, it’s not known exactly whose hands the exploit fell into and what those people did with the names they obtained. A member tells us it’s likely many accounts beyond the 114,000 have been compromised”

Maybe this was Goatse way of trying to tell Apple they need to move on from At&t. When selling 2 million units in a couple months At&t should have seen this coming. This is obviously a pretty serious issue, and for the most part has since been taken care of.

Since this news broke it seems that At&t has patched the hole, but not after the Chief of Staff under Obama Rahm Emaunal and the Mayor of NY Micheal Bloomberg’s emails and vital information was jeopardized. After the fix an At&t spokes person was quoted saying “This issue was escalated to the highest levels of the company and was corrected by Tuesday,”  “We have essentially turned off the feature that provided the e-mail addresses.”

“At this point, there is no evidence that any other customer information was shared,” Siegel said.

Good job At&t and thanks for keeping up the good work.

Tags: , , ,