homepage Welcome to WebmasterWorld Guest from 54.198.148.191
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Pubcon Website
Home / Forums Index / Hardware and OS Related Technologies / Smartphone, Wireless, and Mobile Technologies
Forum Library, Charter, Moderators: bakedjake

Smartphone, Wireless, and Mobile Technologies Forum

    
AT&T Vulnerability Exposes 100K iPad Email Addresses
iPad Customers Could Be Vulnerable To Targeted Attacks
incrediBILL




msg:4150630
 4:56 pm on Jun 10, 2010 (gmt 0)

A Hacker managed to gain access to 114K of AT&T's iPad Users Email Addresses [news.yahoo.com]
It involved an insecure way that AT&T's website would prompt iPad users when they tried to log into their AT&T accounts through the devices.


Nothing like having your account information compromised because AT&T thought it could "make log-ins easier" which speaks volumes of what AT&T thinks about the average technical ability of iPad users.

The hacker group that claims to have discovered the weakness — the group calls itself Goatse Security — said it was able to trick AT&T's site into coughing up more than 114,000 e-mail addresses, including those apparently of famous media personalities and important government officials.


Makes you wonder if AT&T and Apple even tested the log-in process or had anyone do a simple security analysis before making it live as this seems like a bad idea anyone with a security background would've caught right away.

 

incrediBILL




msg:4150705
 6:34 pm on Jun 10, 2010 (gmt 0)

To add to the fun, Steve Jobs just boasted about iPad security [gawker.com]:
The iPad breach flew in the face of Jobs' statement that Apple's policy is to seek—and force partners to seek—user permission "every time. Let them know precisely what you're going to do with their data," and let "people know what they're signing up for in plain English, repeatedly."

physics




msg:4150726
 7:20 pm on Jun 10, 2010 (gmt 0)

Ooh ooh, maybe Apple can use this as a reason to get out from ATT contract. Or... not.

Sgt_Kickaxe




msg:4150806
 9:28 pm on Jun 10, 2010 (gmt 0)

AT&T needs to hire more ex-hackers. If you can't beat them, and they obviously can't, hire them!

edit: It doesn't get more basic in terms of code to not display more than one email address for any given request, 114k ? talk about a cluster...

Bentler




msg:4150872
 12:05 am on Jun 11, 2010 (gmt 0)

FBI is investigating this system hack: [computerworld.com...]

incrediBILL




msg:4150892
 1:16 am on Jun 11, 2010 (gmt 0)

Now that the Feds are involved [gawker.com] major CYA is happening:
a member of Goatse Security said "there was no illegal activity or unauthorized access" and that, from an ethical standpoint, the group was "as 'nice guy' as it gets." ... Further, the post said that the security hole was closed before the vulnerability was publicized; that the private user information gathered by the group was given only to Gawker and then destroyed;


I think they need a new definition for what defines "illegal activity" these days because they may be shocked when they read the current cyber laws.

Demaestro




msg:4151397
 7:33 pm on Jun 11, 2010 (gmt 0)


I think they need a new definition for what defines "illegal activity" these days because they may be shocked when they read the current cyber laws.


Agreed, the problem lies with the circumvention rules.

What does circumventing mean, because there was the case where a man was on the governator's website and backed up a directory by deleting the last part of his URI giving him access to "private" files not meant for the public. Trouble was they were protected by a login screen or anything, they just weren't linked to.

He said he didn't know what was in the directory he was just exploring the site. He was charged with hacking because there was no link to that directory.

So if there is no real security like in this case, can you really circumvent it? If all it takes is a little knowledge and some altering of query strings and the like I have a hard time calling that circumventing security.

keyplyr




msg:4151819
 11:29 pm on Jun 12, 2010 (gmt 0)

maybe Apple can use this as a reason to get out from ATT contract.

and get an early termination penalty.

carleisenstein




msg:4151831
 12:32 am on Jun 13, 2010 (gmt 0)

He said he didn't know what was in the directory he was just exploring the site. He was charged with hacking because there was no link to that directory.


Wow, that's a little scary. Does that mean I have to check each page for inbound links every time I visit in case I'm hacking?

I have some sympathy for Goatse - they haven't publicly released the email addresses and they let AT&T fix the hole before they announced it. If they were security testing an operating system for weaknesses they would be heroes - why so different for those that test for privacy weaknesses in badly built corporate sites?

In fact, I think having ethical people test big company sites for stupid security flaws should be encouraged IMHO - it's better than a bunch of underground card phreaks getting your data.

gosman




msg:4151918
 10:28 am on Jun 13, 2010 (gmt 0)

So if I decide to check out a particular website for security flaws before I sign up I can be charged with hacking. However if thy expose my private details by implementing poor security measures I have no comeback.

Really makes sense

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Smartphone, Wireless, and Mobile Technologies
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved