|
Security
|
|
Written by Daniel
|
|
Monday, 14 June 2010 16:35 |
|
From Dark reading
Researchers who exposed hole say they "did the right thing," AT&T says they acted "maliciously"
The FBI has launched an investigation into the exposure of email addresses of thousands of iPad customers on an AT&T website this week.
Researchers with Goatse Security who this week revealed the weakness in the AT&T site -- basically a business-logic flaw in AT&T's app that was left available and accessible to the public -- were able to get the email addresses of more than 100,000 iPad customers, including some high-profile people.
Escher Auernheimer, a security analyst with Goatse Security, said in an interview today that his firm "did the right thing" by going public about the hole in AT&T's website.
UPDATE: AT&T sent a letter to Apple 3G iPad owners over the weekend that shed some light on AT&T's position on the hack, according to a report in the New York Times. "On June 7 we learned that unauthorized computer 'hackers' maliciously exploited a function designed to make your iPad log-in process faster by pre-populating an AT&T authentication page with the email address you used to register your iPad for 3G service," wrote Dorothy Attwood, a senior vice president and chief privacy officer at AT&T.
"The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer email addresses. They then put together a list of these emails and distributed it for their own publicity," Atwood said.
Meanwhile, Goatse's Auernheimer says the researchers went public with their findings via the Gawker website after AT&T fixed the flaw. They handed over the email address finds to Gawker, but stipulated that the site not publish the actual email addresses. "Our disclosure process was extremely proper and above and beyond," Auernheimer says. "Many researchers do not wait for patches" before they disclose, he says.
"What influenced our decision was that there were so many people who were stewards of important infrastructure on the public and private list [exposed]," he says. "Someone else could have scraped this data."
[More...] [Comments...] |
