FBI Investigating Breach Of iPad Customer Email Addresses On AT&T Website

The FBI has launched an investigation into the exposure of email addresses of thousands of iPad customers on an AT&T website this week.

Researchers with Goatse Security who this week revealed the weakness in the AT&T site -- basically a business-logic flaw in AT&T's app that was left available and accessible to the public -- were able to get the email addresses of more than 100,000 iPad customers, including some high-profile people.

Escher Auernheimer, a security analyst with Goatse Security, said in an interview today that his firm "did the right thing" by going public about the hole in AT&T's website.

UPDATE: AT&T sent a letter to Apple 3G iPad owners over the weekend that shed some light on AT&T's position on the hack, according to a report in the New York Times. "On June 7 we learned that unauthorized computer 'hackers' maliciously exploited a function designed to make your iPad log-in process faster by pre-populating an AT&T authentication page with the email address you used to register your iPad for 3G service," wrote Dorothy Attwood, a senior vice president and chief privacy officer at AT&T.

"The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer email addresses. They then put together a list of these emails and distributed it for their own publicity," Atwood said.

Meanwhile, Goatse's Auernheimer says the researchers went public with their findings via the Gawker website after AT&T fixed the flaw. They handed over the email address finds to Gawker, but stipulated that the site not publish the actual email addresses. "Our disclosure process was extremely proper and above and beyond," Auernheimer says. "Many researchers do not wait for patches" before they disclose, he says.

"What influenced our decision was that there were so many people who were stewards of important infrastructure on the public and private list [exposed]," he says. "Someone else could have scraped this data."

According to Auernheimer, his team got the data without a password or actual breach/intrusion. The researchers wrote a PHP script that grabbed the email addresses from the errant AT&T script. "It's not uncommon to see this type of vulnerability," he says.

The FBI's involvement could be due to the high-profile iPad customers whose email addresses Goatse discovered, Auernheimer says. "We haven't had any contact" with the FBI, however, he says.

Meanwhile, the FBI issued this statement: "The FBI is aware of these possible computer intrusions and has opened an investigation to address the potential cyber threat."

Among the email addresses Goatse was able to access were that of White House Chief of Staff Rahm Emanuel, New York City Mayor Michael Bloomberg, U.S. Air Force Col. William Eldridge, and New York Times Co. chief executive Janet Robinson, according to Gawker.

Security experts at Praetorian published the script written by Goatse. It basically grabs email addresses via the integrated circuit card identifiers that associate the iPad SIM card to a subscriber: "An e-mail address gets returned in the successful iterations (active ICCID) and parsed. There's no hack, no infiltration, and no breach, just a really poorly designed web application that returns e-mail address when ICCID is passed to it," Praetorian's Daniel Kennedy blogged on Wednesday.

Meanwhile, Auernheimer has taken issue with AT&T's claims that his firm acted maliciously. He says he released a semantic integer overflow exploit for Apple Safari in March, which was later patched on Apple’s desktop Safari but has not yet been fixed for the iPad.

"This bug we crafted allows the viewer of a webpage to become a proxy (behind corporate and government firewalls!) for spamming, exploit payloads, password bruteforce attacks and other undesirables. The kicker is that this attack cannot be detected by any current IDS/IPS system," he blogged yesterday. "We released this in March, mind you, and Apple still hasn’t got around to patching this on the iPad! I know through personal experience that the patch time for an iPad vulnerability is over two months and counting. Given that, the number of parties which probably have active iPad exploits likely numbers in the hundreds, if not the thousands. The iPad simply is not a safe platform for those that require a secure environment."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.