Another AT&T slip: a flaw in its iPad customer account management system could potentially have exposed miles of email addresses to a hacker aware of the bug and sufficient technical knowledge to derive the information.
The discovery of the embarrassing problem resulting from research by Goatse Security, a group of hackers who in the past has made a lot of news for the questionable methods (and images) used to demonstrate security bugs. Using a script freely available on the Internet, it was possible to reap thousands and thousands of e-mail addresses, 114 thousand in all. The operation was not only elaborated in theory, but applied in practice as long lists of "VIP" users, from managers of large companies, appeared on the Internet, posted by someone who had early access to information subsequently disseminated by Goatse Security. to politicians, from financial tycoons to show business personalities. The list also includes the e-mail data of high-ranking soldiers, men of the department of homeland security, employees of the federal courts of justice. Together with the email address, the so-called ICC IDs have also been published, the identifier that the SIM card uses to connect to the network.
Goatse Security, which claims to have contacted AT&T, has already closed the hole, but in the current state of things no one able to say what damage has caused the bug in the security and in the hands of those who have run out of email addresses n if there are other "entry doors" in the AT&T system. The fluidity of the situation prompted, for example, the New York Times to advise its employees to turn off iPad 3G access "until further notice".
AT&T admitted the problem by trying to minimize it: "The only data that can be obtained – says the mobile operator – is the information connected to the email address. We are informing customers who have been involved in this matter. AT&T takes privacy very seriously and, although we have already remedied the error, we apologize to our customers. " From what AT&T reports, Goatse Security would not have reported the bug: "The person or group who discovered the hole – says the mobile operator throwing controversy over the whole affair – did not contact AT&T. We were warned by one of our Business customers ". Some sites suspect, in fact, that the images posted to prove the bug were spread by Goatse Security itself.
Gawker Media, the publisher who with his newspapers Gizmodo and Valleywag first reported the story, takes advantage of the opportunity to rekindle the controversy that has been going on with Apple since the day he decided to publish information on the iPhone found in a bar and purchased for a news report. “Although the security hole confined to the AT&T servers, Apple carries on its shoulders the responsibility of ensuring the privacy of its customers who provide the company with their email addresses to activate iPads. This specifically the case, given that for the iPad 3G there is no choice in terms of mobile operators. AT&T has the exclusive right, at least for now, Since there is this type of obligation and a close link between the iPad and the AT&T cellular network, Apple has the responsibility to keep under control who operates the networks chosen by you and with whom decides to share the data of its customers ".
The combination formed by the discussed and questionable, for the methods, Goatse Security and Gawker Media, which in the current state of things can certainly not be considered as a part completely free from conditioning in the matter, have as primary source of information, is leading some industry experts to keep a low profile in the judgment. In any case, the vast majority of independent observers believe that whoever should really be concerned is AT&T, a company that already counts on an image that is not entirely perfect in terms of quality of service and which runs the risk of being submerged with this story. from negative advertising. Many are wondering how many the chances are that the bug affects users of other devices besides iPad, a name that makes certain news and is convenient for newspaper headlines, but which represents an infinitesimal fraction of the devices managed by the American mobile operator .
Thanks for the report to many readers.