This week iPad owners had their emails leaked via a security vulnerability in the way iPads registered with AT&T’s 3g service. Approximately 114,000 email addresses were brute forced from a script that was supposed to recognize an iPad owners ICC ID ( an “unique” identifier” which turned out to be predictable) and supply them an AJAX response of that ICC ID’s associated email address.
The grey-hat security group that found the vulnerability brute-forced ICC ID’s and analyzed the resulting successful request/responses using a PHP script and faking the iPad user agent. This exploit was apparently released in the hacker scene before AT&T removed the functionality.
Although email addresses are usually harmless a large number of high ranking military and government officials registered their .mil and .gov addresses with their iPads, not to mention celebrity email addresses that are usually hush-hush pieces of information. Knowing these addresses opens them up to a large number of spammers and would-be social engineers that will now be checking every login field on the internet for accounts belonging to them (and we all know celebs use strong passwords, yes?).
Many will have to be changed/removed entirely, some mail systems will need to be re-examined for hardness, spam rules will need to be tweaked, etc. A lot of IT elbow grease will go into preventing damage from Apple’s and AT&T’s debacle. Early adopters of technology should always consider they are basically in the beta-test phase as far as security is concerned.
Remember, an iPad a day doesn’t keep the hackers away!
Praetorian Security released a blog that has the actual script used here.