Lazy to Hack: 114,000 IPad 3G Owners' Email Addresses Exposed By AT&T

12 June 2010

114,000 IPad 3G Owners' Email Addresses Exposed By AT&T

A group called Goatse Security was able to grab 114,067 personal email addresses of iPad buyers from AT&T's website.

Some of the Email addreses leaked include White House Chief of Staff Rahm Emanuel, New York City Mayer Michael Bloomberg, Diane Sawyer of ABC News, and many CEOs, CFO, and CTO's. A number of the email addresses exposed were even those of DARPA reesarchers and high-ranking military officials.

Each iPad comes with an ICC-ID or an "integrated circuit card identifier." The subscriber's SIM card and ICC-ID are linked to uniquely identify them. Normally this data would not be publicly accessible.

AT&T goofed big time and left a script on their website that allowed anyone to query it. If an ICC-ID was provided to the script, it responded with a the subscriber's email address. This script was intended to be used with AJAX apps, but obviously had no protections built in.

This lack of security allowed researchers to write a simple PHP script that used the iPad browser agent string to grab potentially millions of addresses. This would not have been possible with out all the pictures of iPad's online that helped them to guess the ICC-IDs. Like any exploit group that wants fame, these guys shared the script and corresponding info with many others like them before reporting the gaping security hole to AT&T.

So now Steve Jobs has a bit of a problem. Hundreds of thousands of customer's and potentially millions of email address have been made available to groups that could use them for malicious purposes. Not only that, but the iPad 3G looks rather unappealing now even if it was not Apple that was responsible for the breach.

If you bought an iPad 3G and have an email address that doesn't reveal your identity and a strong password for it, you might be safe. However, now is as good a time as any to change your email password to something stronger. Also, if your email is firstname.lastname@mysite.com or something similar, just be very cautious about who you open PDF's from and the links you click in emails. Its easier than you might think for criminals to target a victim with a specially crafted convincing email that appears to be from co-workers or friends.

References: http://security.goatse.fr/

= Disclaimer =

The author is not responsible for the actions, content or accuracy of the opinions expressed in Lazy2Hack, nor for privacy policies, products or services or for any damages or losses, directly or indirectly, caused or alleged to have been caused as a result of your use or reliance on such information. The views, conclusions, findings and opinions of the author are solely those of the author and do not necessarily reflect the views of the government of the author's local precinct or any other organization which the author may represent.

This website/blog includes links to other sites operated by third parties. These links are provided as a convenience to you and as an additional avenue of access to the information contained therein. The author has not reviewed all of the information on other sites and are not responsible for the content of any other sites or any products or services that may be offered through other sites. The inclusion of these links in no way indicates their endorsement, support or approval of the contents of this site or the policies or positions of Lazy2Hack.

The author reserves the right to edit, remove or deny access to content that is determined to be, in his sole discretion, unacceptable.

Lazy to Hack

::Trend Micro Threat Resource Center::

12 June 2010

114,000 IPad 3G Owners' Email Addresses Exposed By AT&T

= Why =

:: Twitter Feed ::

= Latest Virus Alerts =

= Safe Web Browsing Tips =

= Daily Reads =

= On the go =

= Archives =

Labels

= Disclaimer =