Hackers obtained some 114,000 iPad owner’s emails, some included government officials, military officers.
Oh boy. Gawker revealed today that a group of hackers from Goatse Security were recently able to break into AT&T’s servers and obtain private user information on a significant amount of AT&T iPad 3G owners. AT&T were able to patch the security hole immediately after being informed by Goatse Security, but not after confidential information such as email addresses of approx. 114,067 iPad 3G users – which included top level government officials, high-ranking military officers, and Fortune 500 CEOs – were exposed and obtained.
Here is how the data was hacked:
“When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an AJAX-style response within a Web application. The security researchers were able to guess a large swath of ICC IDs by looking at known iPad 3G ICC IDs, some of which are shown in pictures posted by gadget enthusiasts to Flickr and other internet sites, and which can also be obtained through friendly associates who own iPads and are willing to share their information, available within the iPad “Settings” application.
To make AT&T’s servers respond, the security group merely had to send an iPad-style “User agent” header in their Web request. Such headers identify users’ browser types to websites.
The group wrote a PHP script to automate the harvesting of data. Since a member of the group tells us the script was shared with third-parties prior to AT&T closing the security hole, it’s not known exactly whose hands the exploit fell into and what those people did with the names they obtained. A member tells us it’s likely many accounts beyond the 114,000 have been compromised.”