AT&T security hole exposes iPad users' e-mails : News-Record.com : Greensboro & the Triad's most trusted source for local news and analysis

SAN FRANCISCO (AP) — AT&T Inc. on Wednesday acknowledged a security weak spot that exposed the e-mail addresses of apparently more than 100,000 users of Apple Inc.'s iPad, a breach that could make those people vulnerable to precision-targeted hacking attacks.

The vulnerability affected only iPad users who signed up for AT&T's 3G wireless Internet service.

It involved an insecure way that AT&T's website would prompt iPad users when they tried to log in to their AT&T accounts through the devices. The site would supply users' e-mail addresses to make log-ins easier based on unique codes contained in the SIM cards inside their iPads. SIM cards are used to tell cell phone networks which subscriber is trying to use the service.

The hacker group that claims to have discovered the weakness -- the group calls itself Goatse Security -- said it was able to trick AT&T's site into coughing up more than 114,000 e-mail addresses, including those that appeared to belong to media personalities and government officials.

A representative for the group said late Wednesday that the group contacted AT&T and waited until the vulnerability was fixed before going public with the information. AT&T said the problem was fixed Tuesday but that it was alerted to it by a business customer.

Gawker Media Inc.'s Valleywag website earlier reported on the breach.

AT&T said it will notify all iPad users whose e-mail addresses may have been accessed.

"We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted," the company said in a statement.

AT&T noted that the only information hackers would have been able to steal using this attack were users' e-mail addresses. But that can be enough to launch a highly effective attack, since the attacker also knows that the person receiving the e-mail is an iPad user and an AT&T customer and would expect to receive e-mail from Apple and AT&T about their accounts. Criminals could use that knowledge to trick them into opening e-mails that plant malicious software on their computers.

An Apple representative deferred requests for comment to AT&T.

Apple has sold more than 2 million iPads since they went on sale two months ago. The iPad comes in two different flavors - one that only connects to the Internet via Wi-Fi, and another that also can connect through AT&T's "3G" cellular network. The Wi-Fi-only models aren't affected by the breach. Apple hasn't specified how many of each model it has sold.

atfyi

June 10, 2010 - 9:23 am EDT

It is to bad Apple can't keep that from happening or figure out Flash.

Panacea

June 10, 2010 - 9:35 am EDT

Security problems will never go away. One what person can encode, another can decode. Anyway, the problem is not with Apple, but with AT&T.

Apple has Flash figured out. Steve Jobs hates Flash, that's why the iPhone and iPad don't use it. Adobe refuses to fix the problems with Flash, the key one being it's a resource hog. I hate Flash; I disable it on my computers unless I really need to look at something with it. Flash is mostly used for advertising anyway, so unless I'm on YouTube I leave it turned off. Also, Flash is on the way out. HTML 5 will eventually replace it. It's not a matter of if. It's a matter of when.

histrion

June 10, 2010 - 1:48 pm EDT

Don't believe everything that comes out of Jobs' mouth.

First, Flash Player itself isn't the resource hog: poor Flash developers' applications are the resource hogs. Granted, Flash Player should be much stingier with resource allocations to prevent your average (i.e., self-taught, under-trained) Flash dev from making the dumb mistakes that lead to run-away apps, but the same can be said about pretty much every programming language out there -- including Objective C. I don't think Adobe "refuses to fix" the problem -- they're just stuck trying to figure out how to keep peons from making their product look bad without unduly limiting how the thousands of skilled, well-trained, committed Flash developers out there use the app.

(and why can't Apple just enforce resource limitations on Safari plug-ins across the board? or block Flash apps by default but allow users to run them selectively?)

Second: If I pay $500+ for a device, I should darn-well be able to run whatever the heck I want to run on it. They don't have to provide support to me if I run something stupid, but blocking what has become a core browser technology like Flash to shelter little ol' naive me from the wild, wild Web is more than a little condescending in my opinion.

Which is just one of many reasons why I'll go with Android (when I can afford any of these dumb things) and many other folks will, too, and iDevices will become increasingly marginalized except among the Cult of Apple, as has always been the case with Apple products.

And HTML 5 is not, nor will it ever be, a development platform for RIA UIs. Not as long as we have Safari, IE, Firefox, Opera, and the various mobile platforms to contend with. You think browser developers are suddenly going to become strict standards evangelists and toe the line across the board, history notwithstanding? I don't think so.

And as a side note, on the question of advertising and the blocking thereof: How much are you willing to pay for a subscription to this site?

news-record.com

NEWS