Security Experts:

Researcher Found Guilty For Exposing AT&T's iPad Customer Data in 2010

Andrew Auernheimer, of Goatse Security fame, was found guilty on Tuesday of one count of conspiracy to gain unauthorized access to computers and one count of identity theft. His case started back in 2010, when he and Daniel Spitler exposed a logic flaw in a web application used by AT&T iPad customers.

Andrew Auernheimer, WeevOn June 7, 2010, Auernheimer, who is also goes by the pseudonym weev, and Spitler used a PHP script to collect data that was being pushed to the public via a web application used by AT&T’s iPad 3G customers. In a letter to customers, apologizing for the incident, AT&T warned them that self-described hackers had maliciously exploited a function designed to make customer’s iPad log-ins faster, “ pre-populating an AT&T authentication page” with the email address used to register the iPad to its 3G service.

So how did that happen exactly? The telecom giant, in order to make the user experience online appear faster and easier to navigate, used an integrated circuit card identifier (ICC-ID), and combined it with the iPad user’s registered email to populate a field within its web application.

The web application assumed the ICC-ID would only come from an iPad. So the logic flaw in this instance is that AT&T never thought to check what would happen if someone simply presented the POST data with the ICC-ID to the web application themselves. Granted, there were checks in place to give the application some measure of protection; but again, AT&T dropped the ball and simply required that the POST request come with an iPad USER-AGENT in the headers. Headers are easily spoofed, so the check was rendered useless by Goatse Security.

ICC-IDs are easily located online (you can obtain them from photos on Flickr for example) and they’re sequential in nature. Another issue in this case, which made the collection of data easier, is the lack of restrictions on requests made to the application – there were none. Thus an automatic process like the one Goatse Security developed could run as long as it wanted.

Goatse Security’s “iPad 3G Account Slurper” as it was named, ran from June 5 through June 9, 2010, and acquired approximately 120,000 ICC-ID/e-mail address pairings for iPad 3G customers. The collected data was shopped around to a few news outlets, and after several refused to run with the story, they were given to Gawker, who published the data with some redactions.

At the time, Gawker wrote that the logic flaw and Goatse Security’s efforts, “exposed the most exclusive e-mail list on the planet.” The news site named a number of famous individuals whose e-mails had been leaked by AT&T’s application, including Diane Sawyer, Harvey Weinstein, and Mayor Michael Bloomberg. The list also included other government officials, business executives, and the military, including William Eldredge, commander of a B-1 bomber group for the U.S. Air Force. Gawker reported that White House Chief of Staff Rahm Emanuel was on the list as well.

In an interview with The Wall Street Journal at the time of the incident, AT&T chief security officer Ed Amoroso said that if the company could do things over, it would not have “pre-populated” the Web application field with user email addresses. According to court documents, AT&T said the total cost to fix the Web application logic flaw was about $73,000 USD.

“[Auernheimer] isn’t a criminal. He wasn’t trying to profit. He simply noticed that AT&T had made user accounts publicly available, and published proof. He believed that since the information was publicly available he was not exceeding authorization. He stuck his head up above the herd. For that, he was convicted today under the CFAA and is on his way to jail (well, currently still out on bail awaiting sentencing),” wrote Robert Graham on the Errata Security Blog.

Graham's blog post focused on the vagueness and seemingly overextended reach of the current Computer Fraud & Abuse Act, under which Auernheimer was convicted. 

Auernheimer will appeal the conviction, as he currently faces up to 10 years in prison and $500,000 in fines. He is out on bail for at least the next 90-days. Daniel Spitler pled guilty to the same charges in June 2011.

view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.