Welcome to WebmasterWorld Guest from 50.17.5.36

Forum Moderators: bakedjake

Message Too Old, No Replies

AT&T Vulnerability Exposes 100K iPad Email Addresses

iPad Customers Could Be Vulnerable To Targeted Attacks

     
4:56 pm on Jun 10, 2010 (gmt 0)

Administrator from US 

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 25, 2005
posts:14624
votes: 88


A Hacker managed to gain access to 114K of AT&T's iPad Users Email Addresses [news.yahoo.com]
It involved an insecure way that AT&T's website would prompt iPad users when they tried to log into their AT&T accounts through the devices.


Nothing like having your account information compromised because AT&T thought it could "make log-ins easier" which speaks volumes of what AT&T thinks about the average technical ability of iPad users.

The hacker group that claims to have discovered the weakness — the group calls itself Goatse Security — said it was able to trick AT&T's site into coughing up more than 114,000 e-mail addresses, including those apparently of famous media personalities and important government officials.


Makes you wonder if AT&T and Apple even tested the log-in process or had anyone do a simple security analysis before making it live as this seems like a bad idea anyone with a security background would've caught right away.
6:34 pm on June 10, 2010 (gmt 0)

Administrator from US 

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 25, 2005
posts:14624
votes: 88


To add to the fun, Steve Jobs just boasted about iPad security [gawker.com]:
The iPad breach flew in the face of Jobs' statement that Apple's policy is to seek—and force partners to seek—user permission "every time. Let them know precisely what you're going to do with their data," and let "people know what they're signing up for in plain English, repeatedly."
7:20 pm on June 10, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 27, 2001
posts:2547
votes: 0


Ooh ooh, maybe Apple can use this as a reason to get out from ATT contract. Or... not.
9:28 pm on June 10, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member sgt_kickaxe is a WebmasterWorld Top Contributor of All Time 5+ Year Member

joined:Apr 14, 2010
posts:3169
votes: 0


AT&T needs to hire more ex-hackers. If you can't beat them, and they obviously can't, hire them!

edit: It doesn't get more basic in terms of code to not display more than one email address for any given request, 114k ? talk about a cluster...
12:05 am on June 11, 2010 (gmt 0)

Full Member

10+ Year Member

joined:Dec 26, 2000
posts:323
votes: 0


FBI is investigating this system hack: [computerworld.com...]
1:16 am on June 11, 2010 (gmt 0)

Administrator from US 

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 25, 2005
posts:14624
votes: 88


Now that the Feds are involved [gawker.com] major CYA is happening:
a member of Goatse Security said "there was no illegal activity or unauthorized access" and that, from an ethical standpoint, the group was "as 'nice guy' as it gets." ... Further, the post said that the security hole was closed before the vulnerability was publicized; that the private user information gathered by the group was given only to Gawker and then destroyed;


I think they need a new definition for what defines "illegal activity" these days because they may be shocked when they read the current cyber laws.
7:33 pm on June 11, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 15, 2003
posts:2606
votes: 0



I think they need a new definition for what defines "illegal activity" these days because they may be shocked when they read the current cyber laws.


Agreed, the problem lies with the circumvention rules.

What does circumventing mean, because there was the case where a man was on the governator's website and backed up a directory by deleting the last part of his URI giving him access to "private" files not meant for the public. Trouble was they were protected by a login screen or anything, they just weren't linked to.

He said he didn't know what was in the directory he was just exploring the site. He was charged with hacking because there was no link to that directory.

So if there is no real security like in this case, can you really circumvent it? If all it takes is a little knowledge and some altering of query strings and the like I have a hard time calling that circumventing security.
11:29 pm on June 12, 2010 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:5808
votes: 64


maybe Apple can use this as a reason to get out from ATT contract.

and get an early termination penalty.
12:32 am on June 13, 2010 (gmt 0)

New User

5+ Year Member

joined:Apr 14, 2010
posts:9
votes: 0


He said he didn't know what was in the directory he was just exploring the site. He was charged with hacking because there was no link to that directory.


Wow, that's a little scary. Does that mean I have to check each page for inbound links every time I visit in case I'm hacking?

I have some sympathy for Goatse - they haven't publicly released the email addresses and they let AT&T fix the hole before they announced it. If they were security testing an operating system for weaknesses they would be heroes - why so different for those that test for privacy weaknesses in badly built corporate sites?

In fact, I think having ethical people test big company sites for stupid security flaws should be encouraged IMHO - it's better than a bunch of underground card phreaks getting your data.
10:28 am on June 13, 2010 (gmt 0)

Preferred Member

10+ Year Member

joined:Sept 7, 2003
posts:383
votes: 0


So if I decide to check out a particular website for security flaws before I sign up I can be charged with hacking. However if thy expose my private details by implementing poor security measures I have no comeback.

Really makes sense