The leaking of 114,000 private email addresses by Goatse Security was carried out through a simple attack on badly-designed software, according to Praetorian Security Group.
When iPad 3G buyers sign up with AT&T, the company detects the SIM’s unique Integrated Circuit Card Identifier (ICC) ID, and asks for an email address. This is used to make log-in easier.
But Goatse was able to bombard the system with random requests using invented ICC IDs. Some, inevitably, correcsponded to genuine iPad, allowing the group to harvest the email data.
“There’s no hack, no infiltration, and no breach, just a really poorly designed web application that returns email address when ICCID is passed to it,” says the company, which has published the script that Goatse used.
AT&T was quick to turn the feature off. It says it will inform all users who may have been affected.
In any case, says Graham Cluley of Sophos, the whole thing was a bit of a storm in a teacup.
“Ok. So I can see how this is embarrassing, and it shouldn’t have happened. But… it’s just an email address and you reveal your email address every time you send an email,” he says.
“Although iPad-related email addresses could be useful for those who wish to specifically target iPad owners with spam or phishing attacks, there’s no serious reason to believe that any actual hacking is likely to take place.
“After all, it’s not as though any more information about the individuals appears to have been exposed – for instance, there are no passwords, real names, telephone numbers, dates of birth, etc etc.”