AT&T has fleshed out its response about an Apple iPad flaw that exposed customer email addresses and may just make matters worse.
Last week, Goatse Security said it obtained the email addresses of 114,000 Apple iPad users, including a few in the White House. AT&T in a letter to customers, apologized to customers—including our own Michael Krigsman— but then painted Goatse as the bad guy in a move that could backfire. Why? The apology just looks hollow when you try and throw Goatse under the bus. AT&T wrote:
On June 7 we learned that unauthorized computer “hackers” maliciously exploited a function designed to make your iPad log-in process faster by pre-populating an AT&T authentication page with the email address you used to register your iPad for 3G service. The self-described hackers wrote software code to randomly generate numbers that mimicked serial numbers of the AT&T SIM card for iPad – called the integrated circuit card identification (ICC-ID) – and repeatedly queried an AT&T web address. When a number generated by the hackers matched an actual ICC-ID, the authentication page log-in screen was returned to the hackers with the email address associated with the ICC-ID already populated on the log-in screen.
The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer email addresses. They then put together a list of these emails and distributed it for their own publicity.
Goatse, which initially gave its findings to Gawker, wasn’t pleased. In a blog post, Goatse said:
AT&T mailing so much of their subscriber base exposes a potential I have been suspicious of. They were likely not logging their httpd and had no idea how to verify the true scope of the disclosure, so they had to mail a huge number of customers. If not for our firm talking about the exploit to third parties who subsequently notified them, they would have never fixed it and it would likely be exploited by the RBN or the Chinese, or some other criminal organization or government (if it wasn’t already).
AT&T had plenty of time to inform the public before our disclosure. It was not done. Post-patch, disclosure should be immediate– within the hour. Days afterward is not acceptable.
Often, researchers that find vulnerabilities go to the company first so that’s where AT&T gets its malicious hacker charge. Goatse said that it didn’t go to great efforts to exploit vulnerabilities and that its disclosure was “a service to our nation.” “We disclosed only to a single journalist and destroyed the data afterward. We did the right thing,” said Goatse.
As Dancho Danchev noted, the security risk to iPad users is generally small. But the incident reveals how third parties are often the front door for vulnerabilities.
In any case, AT&T’s attempt to paint Goatse as the bad guy may backfire in the perception game.
Also:
