Daniel Kennedy never a fan of the "morning after"-style security stories. You know the ones: they always seek to minimize or dismiss the latest security concern as not that important. The one everybody was so excited about the night before. That’s why I’m going to apologize in advance for writing a story that might sound like that now.
By now you’ve read Gawker’s breathless reporting of how AT&T has exposed the e-mail addresses of 114,000 Apple iPad 3G owners, and seen the picture on their website demonstrating what that many records looks like printed out. Having a web response without any form of authentication reveal user e-mail addresses is negligent, don’t get me wrong. It just doesn’t rise to a level of hysteria depicted in some of the coverage thus far.
With names such as Diane Sawyer, Janet Robinson (CEO, NY Times), Harvey Weinstein, Mayor Bloomberg, Rahm Emanuel, and many other early 3G iPad recipients included, it is clear the list of early iPad owners contains a few mucky mucks and that this is a story based on who (stars) and what (iPads) are involved. There are a number of government officials including people at NASA, the Justice Department, the Defense Department, and the Department of Homeland Security among others on the list (how many iPads did my tax dollars buy?). So there is no denying this is an important story. But let's walk through it with an eye towards a detailed look at what happened, and a conservative view of what the risks to iPad owners might be.
In short, an HTTP request was made to an AT&T web server to what appears to be an Ajax style response using the iPad’s user-agent string:
$useragent="Mozilla/5.0 (iPad)"; //Spoof as iPad
The request included the user’s ICC-ID (an integrated circuit card identifier, a way to identify a SIM card to a subscriber) as a parameter, and the web application responded with the e-mail address associated with that ID, if valid. The PHP script Goatse Security, the group that reported this to Gawker, iterated through a series of ICC-ID numbers in the request to an att.com URL, and parsed the e-mails that came back for active valid ICC-IDs.
The URL as shown accepted an ICCID parameter and if valid returned an e-mail address before AT&T corrected this earlier:
There was no hack and no infiltration, just a very poorly designed web application and an enumeration on the part of this group of computer security enthusiasts.
Praetorian Prefect has the actual PHP script itself, courtesy of Goatse member Weev, if you would like to take a look at it now that AT&T has fixed the problem.