Gawker Media has uncovered a major security breach at AT&T exposing iPad owners including dozens of CEOs, military officials, and top politicians.
Gawker were handed an exclusive email list based on a collection of early-adopter iPad 3G subscribers. The list contains thousands of A-listers in Finance, politics and media, from New York Times Co. CEO Janet Robinson to Diane Sawyer of ABC News. The list even includes White House Chief of Staff Rahm Emanuel's information.
The information exposed in the breach includes the subscribers' email addresses and a unique ID used to authenticate the subscriber on AT&T's network, known as the ICC-ID. The subscriber data was obtained by a group named Goatse Security. The group wrote a PHP script to automate data retrieval through a script on AT&T's website, accessible to everyone.
"When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an AJAX-style response within a Web application. The security researchers were able to guess a large swath of ICC IDs by looking at known iPad 3G ICC IDs, some of which are shown in pictures posted by gadget enthusiasts to Flickr and other internet sites, and which can also be obtained through friendly associates who own iPads and are willing to share their information, available within the iPad "Settings" application" - Wrote Ryan Tate of Gawker Media.
AT&T became aware of the exploit on Monday and issued a patch to fix the hole on Tuesday. As for the users data, Gawker said it would not make the list of emails public - but it's still unclear if the initial hacker has sold the list to any underground community.
In the list of emails, a number of famous people and US military and government officials were exposed. There is no direct threat to the email themselves, as the exploit doesn't expose passwords, perhaps just some spam emails.
AT&T issued this statement regarding the exploit:
"AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC IDS. The only information that can be derived from the ICC IDS is the e-mail address attached to that device.
This issue was escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the e-mail addresses.
The person or group who discovered this gap did not contact AT&T.
We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained.
We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted."