BreachExchange mailing list archives
iPad / AT&T Follow-up - Technical information
From: security curmudgeon <jericho () attrition org>
Date: Thu, 10 Jun 2010 15:54:57 -0500 (CDT)
http://www.computerworld.com/s/article/9177921/_Brute_force_script_snatched_iPad_e_mail_addresses 'Brute force' script snatched iPad e-mail addresses 'No hack, no infiltration, no breach,' say security experts, just sloppy AT&T software By Gregg Keizer June 10, 2010 06:44 AM ET The harvesting of over 100,000 iPad 3G owners' e-mail addresses was not a hack or a classic data breach, but a brute-force attack of a minor feature AT&T offered to Apple customers, experts said Wednesday. According to New York-based Praetorian Security Group, which obtained a copy of the PHP script used to scrape e-mail addresses from AT&T's servers, the attack succeeded because the mobile carrier used poorly designed software. A nine-person hacking group known as Goatse Security claimed responsibility for the script, which amassed 114,000 e-mail addresses. "There's no hack, no infiltration, and no breach, just a really poorly-designed Web application that returns e-mail address when ICC-ID is passed to it," Praetorian said in a late Wednesday entry on its security blog. An ICC-ID (Integrated Circuit Card Identifier) is the unique number assigned to each SIM card. A mobile device's SIM stores information that identifies the specific wireless customer to his or her carrier. The iPad 3G contains a SIM card. [..] _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Get business, compliance, IT and security staff on the same page with CREDANT Technologies: The Shortcut Guide to Understanding Data Protection from Four Critical Perspectives. The eBook begins with considerations important to executives and business leaders. http://www.credant.com/campaigns/ebook-chpt-one-web.php
Current thread:
- iPad / AT&T Follow-up - Technical information security curmudgeon (Jun 10)