iPad infrastructure hacked – iPad owners’ email addresses leaked

apple ipad

On Tuesday, popular tech gossip site Valleywag reported a hack targeting AT&T’s infrastructure that led to the accidental disclosure of 100,000 iPad owners’ email addresses.

As far as we can gather at this point, this is most likely a parameter tampering attack. The hackers attacked AT&T’s iPad support web application, traversed through a range of ICCIDs (Integrated Circuit Card identifiers), and were able to eventually obtain valid iPad owners’ email addresses without proper authentication.

If this is indeed true, AT&T has done a poor job designing their web applications.  Being able to guard against automated parameter traversal attacks is one of the first things you do to secure your web apps. An automatic parameter traversal attack can be launched fairly easily these days – it does not require sophisticated technology or advanced reconnaissance on the victim web application.

Included in the email addresses disclosed were several prominent celebrities, politicians, and high-profile industry figures, including Rahm Emanuel and Michael Bloomberg.

This attack apparently only affects iPad 3G users, not the Wifi-only iPads. AT&T has stated that this particular flaw on their web application has now been remediated.


About Chenxi Wang

Dr. Chenxi Wang is a Principal Analyst with Forrester Research. She serves on the security and risk team, covering topics such as cloud security, application security, and content security. Previously Chenxi was Chief Scientist with KSR Inc. (now part of Neohapsis). Prior to that Chenxi was an Associate Professor at Carnegie Mellon University.
This entry was posted in Uncategorized. Bookmark the permalink.

3 Responses to iPad infrastructure hacked – iPad owners’ email addresses leaked

  1. Richard says:

    Fortunately my iPad is WiFi only. 🙂
    However, I believe this won’t be the last “breach” for iPad. Given all the Apps are audited/stamped by Apple, some of the Apps and even the iPhone OS itself, could be vulnerable to many attacks. All in all, youself is the key to protect yourself.

    • Chenxi Wang says:

      Richard. Couldn’t agree more. This attack really isn’t targeting the mobile platform itself. Rather, it aimed at the backend infrastructure of the operator. I think we would see more attacks targeting the iPhone platform itself (and Android too) as mobile platforms become more popular and more critical. Today, there isn’t an easy way to scan iPhones for vulnerabilities unless they are jailbroken. This may change tomorrow. What an interesting world we live in.

      How do you like your iPad by the way? I returned mine, by the way. DID NOT LIKE IT!

  2. Richard says:

    So far I think my experience is good, mostly for ebook/pdf reading, particularly in conjunction with Google Docs/Dropbox web storage services. Its long battery duration and multi-touch screen are the top 2 plus to me. Goodreader is the first App I ordered from App Store. I like it perhaps because my Thinkpad R400 is too big to carry on outdoors.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s