Last night AT&T sent an email to iPad 3G owners regarding last week’s security breach (which has grabbed the FBI’s attention) that revealed the email addresses of around 114,000 iPad 3G customers. The email didn’t offer anything more than a quick summary of the situation, but AT&T made it clear that it viewed the hacker’s attempt as malicious, reports The New York Times.
The hacker group, known as Goatse Security, didn’t take too kindly to AT&T’s characterization. In a blog post of its own, the group criticized AT&T’s handling of the situation, and painted itself as as more of a “white hat” hacker group — one that aims to help companies by making them aware of security flaws. Goatse also pointed out that, according to some security researchers, the information revealed in the breach could have impacted user privacy more than AT&T led us to believe.
The group also added that it revealed a major security exploit in Apple’s Safari Web browser months ago, which has yet to be fixed:
I released a semantic integer overflow exploit for Safari through Goatse Security in March –- it was patched on Apple’s desktop Safari but has yet to be patched on the iPad. This bug we crafted allows the viewer of a webpage to become a proxy (behind corporate and government firewalls!) for spamming, exploit payloads, password bruteforce attacks and other undesirables. The kicker is that this attack cannot be detected by any current IDS/IPS system. We released this in March, mind you, and Apple still hasn’t got around to patching this on the iPad!
In the hands of an experienced and malicious hacker, such an exploit could be used to do serious damage. Since it knew the exploit still existed for iPads, Goatse says that led to it making the AT&T security hole public to protect users. “People in critical positions have a right to completely understand the scope of vulnerability immediately. Not days or weeks or months after potential intrusion,” the group wrote.
Goatse could have certainly done worse than alerting Gawker to the AT&T security breach, so there may be some truth to its white hat claims. Still, I don’t suspect that AT&T will be thanking the group any time soon.
Don’t miss MobileBeat 2010, VentureBeat’s conference on the future of mobile. The theme: “The year of the superphone and who will profit.” Now expanded to two days, MobileBeat 2010 will take place on July 12-13 at The Palace Hotel in San Francisco. Register now. Tickets are going quickly. For complete conference details, or to apply for the MobileBeat Startup Competition, click here.