Hackers fire back at AT&T, say all iPads at risk to Safari hole
In a blog post Monday, Goatse Security attested that its manipulation of an AT&T web server that spit out the email addresses of over 114,000 iPad 3G subscribers — including many top government and corporate officials — was done as a public service, objecting allegations in AT&T's apology to customers that it acted "maliciously" and went to "great efforts" to perform the hack.
"AT&T had plenty of time to inform the public before our disclosure. It was not done," the group said. "If not for our firm talking about the exploit to third parties who subsequently notified them, they would have never fixed it and it would likely be exploited by [â¦] some other criminal organization or government."
"[The] finder of the AT&T email leak spent just over a single hour of labor total (not counting the time the script ran with no human intervention) to scrape the 114,000 emails," it added.
Escher Auernheimer, a member of Goatse Security, said the group disclosed the data it extruded from AT&T's server to just one journalist and then destroyed the original copy. He went on to accuse AT&T of dragging its feet on alerting customers and being dishonest bout the potential for harm.
"Post-patch, disclosure should be immediateâ within the hour," he wrote. "Days afterward is not acceptable. It is theoretically possible that in the span of a day (particularly after a hole was closed) that a criminal organization might decide to use an old dataset to exploit users before the users could be enlightened about the vulnerability."
Separately, Auernheimer took both Apple and AT&T to task for failing correct and alert users to a semantic integer overflow exploit in Safari for the iPad that it discovered and publicized back in March.
"It was patched on Appleâs desktop Safari but has yet to be patched on the iPad," he said. "This bug we crafted allows the viewer of a webpage to become a proxy (behind corporate and government firewalls!) for spamming, exploit payloads, password bruteforce attacks and other undesirables."
A more detailed explanation of the hack posted by Goatse's explains how Safari on the iPad fails to block off access to some nonexistent ports which fall outside the 65536 different values representable in a number of 16 binary digits, also known as a 'short' integer.
Once implemented, the hack can reportedly allow hackers to steal someone else's email identity, reflash network devices with firmware, or trick Safari into doing "pretty much anything on any TCP port and not have any current IDS/IPS in existence be any wiser for it."
"The potential for this sort of attack and the number of iPad users on the list we saw who were stewards of major public and commercial infrastructure necessitated our public disclosure," Auernheimer said. "People in critical positions have a right to completely understand the scope of vulnerability immediately."
57 Comments
Are the Feds still looking at these guys? They're so tough ragging on AT&T and Apple. I'd be impressed if they'd "fire back" at the FBI.
". . .likely be exploited by [?] some other criminal organization or government."
This is the only part of the article I disagree with. There's no difference between a criminal organization and government. Separate terms implies a distiction where none exists.
is this applicable on iphone safari as well? i am not clear whether short integer overflow is the same problem as that by att. can any one clarify it?
Oh wow, idiots with scripts they downloaded from a 'hacking' toolkit.
These morons are only out for publicity, they'll keep saying whatever garbage they can pull out of their butts to stay in the news. Gizmodo is highlighting these retards to try and give Apple a black eye. What's amazing is that it took a whole team of these idiots to come up with this, haven't they heard that Google is harvesting wifi data on a global level? Kind of pathetic as a hack, but then again, I'm sure pathetic and goatse go hand in hand... maybe they should try and hack their way into a date with a real live person? I've heard that severe acute cases of virginitus can cause one to do these types of things.
I've got the same skills without any hacker script kit... Just send me your ATM cards and I'll match them to my database of PINs that I 'accessed' through a security hole.
3758
2269
1173
0348
2142
6785
1234
0000
It's that genius. If only I had the amount of time that Goatse's team can dedicate to watch a script randomly generate numbers.
"AT&T had plenty of time to inform the public before our disclosure. It was not done," the group said. "If not for our firm talking about the exploit to third parties who subsequently notified them, they would have never fixed it and it would likely be exploited by [?] some other criminal organization or government."
...
"Post-patch, disclosure should be immediate? within the hour," he wrote. "Days afterward is not acceptable. It is theoretically possible that in the span of a day (particularly after a hole was closed) that a criminal organization might decide to use an old dataset to exploit users before the users could be enlightened about the vulnerability."
In other words...
"You AT&T people! We did this iPad FUD attack, and you didn't immediately turn around and amplify our FUD!"
Where's the part where this security company explains why they didn't report the problem directly to AT&T?
Personally, I find it extremely suspicious that this company is using Gawker as their FUD distribution network. I hope the FBI expands their investigation to determine whether this data breach problem is part of Gawker's petulant vengeance thing.