On Tuesday, popular tech gossip site Valleywag reported a hack targeting AT&T’s infrastructure that led to the accidental disclosure of 100,000 iPad owners’ email addresses.
As far as we can gather at this point, this is most likely a parameter tampering attack. The hackers attacked AT&T’s iPad support web application, traversed through a range of ICCIDs (Integrated Circuit Card identifiers), and were able to eventually obtain valid iPad owners’ email addresses without proper authentication.
If this is indeed true, AT&T has done a poor job designing their web applications. Being able to guard against automated parameter traversal attacks is one of the first things you do to secure your web apps. An automatic parameter traversal attack can be launched fairly easily these days – it does not require sophisticated technology or advanced reconnaissance on the victim web application.
Included in the email addresses disclosed were several prominent celebrities, politicians, and high-profile industry figures, including Rahm Emanuel and Michael Bloomberg.
This attack apparently only affects iPad 3G users, not the Wifi-only iPads. AT&T has stated that this particular flaw on their web application has now been remediated.
Fortunately my iPad is WiFi only.
However, I believe this won’t be the last “breach” for iPad. Given all the Apps are audited/stamped by Apple, some of the Apps and even the iPhone OS itself, could be vulnerable to many attacks. All in all, youself is the key to protect yourself.
Richard. Couldn’t agree more. This attack really isn’t targeting the mobile platform itself. Rather, it aimed at the backend infrastructure of the operator. I think we would see more attacks targeting the iPhone platform itself (and Android too) as mobile platforms become more popular and more critical. Today, there isn’t an easy way to scan iPhones for vulnerabilities unless they are jailbroken. This may change tomorrow. What an interesting world we live in.
How do you like your iPad by the way? I returned mine, by the way. DID NOT LIKE IT!
So far I think my experience is good, mostly for ebook/pdf reading, particularly in conjunction with Google Docs/Dropbox web storage services. Its long battery duration and multi-touch screen are the top 2 plus to me. Goodreader is the first App I ordered from App Store. I like it perhaps because my Thinkpad R400 is too big to carry on outdoors.