Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Researcher Found Guilty For Exposing AT&T’s iPad Customer Data in 2010

Andrew Auernheimer, of Goatse Security fame, was found guilty on Tuesday of one count of conspiracy to gain unauthorized access to computers and one count of identity theft. His case started back in 2010, when he and Daniel Spitler exposed a logic flaw in a web application used by AT&T iPad customers.

Andrew Auernheimer, of Goatse Security fame, was found guilty on Tuesday of one count of conspiracy to gain unauthorized access to computers and one count of identity theft. His case started back in 2010, when he and Daniel Spitler exposed a logic flaw in a web application used by AT&T iPad customers.

Andrew Auernheimer, WeevOn June 7, 2010, Auernheimer, who is also goes by the pseudonym weev, and Spitler used a PHP script to collect data that was being pushed to the public via a web application used by AT&T’s iPad 3G customers. In a letter to customers, apologizing for the incident, AT&T warned them that self-described hackers had maliciously exploited a function designed to make customer’s iPad log-ins faster, “…by pre-populating an AT&T authentication page” with the email address used to register the iPad to its 3G service.

So how did that happen exactly? The telecom giant, in order to make the user experience online appear faster and easier to navigate, used an integrated circuit card identifier (ICC-ID), and combined it with the iPad user’s registered email to populate a field within its web application.

The web application assumed the ICC-ID would only come from an iPad. So the logic flaw in this instance is that AT&T never thought to check what would happen if someone simply presented the POST data with the ICC-ID to the web application themselves. Granted, there were checks in place to give the application some measure of protection; but again, AT&T dropped the ball and simply required that the POST request come with an iPad USER-AGENT in the headers. Headers are easily spoofed, so the check was rendered useless by Goatse Security.

ICC-IDs are easily located online (you can obtain them from photos on Flickr for example) and they’re sequential in nature. Another issue in this case, which made the collection of data easier, is the lack of restrictions on requests made to the application – there were none. Thus an automatic process like the one Goatse Security developed could run as long as it wanted.

Goatse Security’s “iPad 3G Account Slurper” as it was named, ran from June 5 through June 9, 2010, and acquired approximately 120,000 ICC-ID/e-mail address pairings for iPad 3G customers. The collected data was shopped around to a few news outlets, and after several refused to run with the story, they were given to Gawker, who published the data with some redactions.

At the time, Gawker wrote that the logic flaw and Goatse Security’s efforts, “exposed the most exclusive e-mail list on the planet.” The news site named a number of famous individuals whose e-mails had been leaked by AT&T’s application, including Diane Sawyer, Harvey Weinstein, and Mayor Michael Bloomberg. The list also included other government officials, business executives, and the military, including William Eldredge, commander of a B-1 bomber group for the U.S. Air Force. Gawker reported that White House Chief of Staff Rahm Emanuel was on the list as well.

In an interview with The Wall Street Journal at the time of the incident, AT&T chief security officer Ed Amoroso said that if the company could do things over, it would not have “pre-populated” the Web application field with user email addresses. According to court documents, AT&T said the total cost to fix the Web application logic flaw was about $73,000 USD.

“[Auernheimer] isn’t a criminal. He wasn’t trying to profit. He simply noticed that AT&T had made user accounts publicly available, and published proof. He believed that since the information was publicly available he was not exceeding authorization. He stuck his head up above the herd. For that, he was convicted today under the CFAA and is on his way to jail (well, currently still out on bail awaiting sentencing),” wrote Robert Graham on the Errata Security Blog.

Advertisement. Scroll to continue reading.

Graham’s blog post focused on the vagueness and seemingly overextended reach of the current Computer Fraud & Abuse Act, under which Auernheimer was convicted. 

Auernheimer will appeal the conviction, as he currently faces up to 10 years in prison and $500,000 in fines. He is out on bail for at least the next 90-days. Daniel Spitler pled guilty to the same charges in June 2011.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.