AT&T apologises for iPad security gaffe

[nsane.forums]

Firm says sorry to customers over email leak

AT&T has apologised to customers after a security lapse exposed iPad buyers' email addresses and details.

Goatse Security revealed last week that it had been able to exploit a flaw in AT&T's protocols to harvest the data on some 114,000 iPad 3G owners.

The list of those affected included the White House chief of staff, New York mayor Michael Bloomberg and numerous senior people in the military, media and commerce sectors.

Dorothy Attwood, chief privacy officer at AT&T, has now apologised to those customers whose email addresses had been exposed, in a letter republished on Boy Genius Report.

Attwood described Goatse Security as "hackers", explaining that the firm had "maliciously exploited a function designed to make your iPad log-in process faster by pre-populating an AT&T authentication page with the email address you used to register your iPad for 3G service".

"I want to assure you that the email address and ICC-ID were the only information that was accessible. Your password, account information, the contents of your email, and any other personal information were never at risk," she said.

"AT&T acted quickly to protect your information, and we promise to keep working around the clock to keep your information safe. Thank you very much for your understanding, and for being an AT&T customer."

Goatse Security has since replied to the letter in order to "clear the air".

"AT&T mailing so much of their subscriber base exposes a potential I have been suspicious of. They were likely not logging their httpd and had no idea how to verify the true scope of the disclosure, so they had to mail a huge number of customers," wrote Goatse Security member Escher Auernheimer.

"If not for our firm talking about the exploit to third parties who subsequently notified them, they would have never fixed it and it would likely be exploited by the Russian Business Network or the Chinese, or some other criminal organisation or government (if it wasn't already)."

Auernheimer said that AT&T had had "plenty of time" to let the public know before Goatse went public with its information, but instead chose to wait days to react.

He added that this sluggish approach could have left the same security holes open to other, more malicious organisations.

"It is theoretically possible that in the span of a day (particularly after a hole was closed) that a criminal organisation might decide to use an old dataset to exploit users before the users could be enlightened about the vulnerability, " Auernheimer said.

"Even in this disclosure, which I feel they would not have made if we hadn't publicised this vulnerability, AT&T is being dishonest about the potential for harm."

Goatse also takes issue with the way AT&T seems to over-hype the hack attack.

Auernheimer said that, while AT&T talked of the "great efforts" it would have taken, "the finder of the AT&T email leak spent just over a single hour of labour (not counting the time the script ran with no human intervention) to scrape the 114,000 emails".

The FBI is investigating the security breach.

View: Original Article