Goatse Security obtain subscriber data through script on AT&T website.
114,000 iPad owners, including CEOs, military officials and top politicians have had their email addresses exposed after a security breach, Gawker reports.
Information included subscribers' email addresses, coupled with an associated ID used to authenticate the subscriber on AT&T's network, known as the Integrated Circuit Card identifier (ICC-ID) and is used to identify the SIM cards that associate a mobile device with a particular subscriber.
Although the security vulnerability was confined to AT&T servers, Apple ensures the privacy of its users, who must provide the company with their email addresses to activate their iPads.
Goatse Security obtained the subscriber data through a script on AT&T's website.
When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address. The security researchers were able to guess a large swath of ICC IDs by looking at known iPad 3G ICC IDs.
To make AT&T's servers respond, the security group had to send an iPad-style ‘User agent’ header in their Web request, which identify users' browser types to websites.
Goatse Security notified AT&T of the breach and the security hole was closed.
Accounts compromised included Google, Amazon, Microsoft and AOL as well as Goldman Sachs, JP Morgan and Citigroup along with venture capital and private equity firms and others.
Department of Justice, NASA, Department of Homeland Security, and National Institute of Health, among others, including dozens of employees of the federal court system also appeared on the list.
An AT&T statement sent to Gawker partly stated ‘This issue was escalated to the highest levels of the company and was corrected by Tuesday and we have essentially turned off the feature that provided the e-mail addresses.’
‘We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained. We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted.’