AT&T and Goatse Security are exchanging barbs over the public disclosure of a security flaw in AT&T’s Web application for the iPad 3G.
The leak exposed the e-mail addresses and ICC IDs of more than 100,000 customers, including top-ranking government officials, and has prompted an investigation by the FBI.
In a letter to customers sent by the company’s chief privacy officer, Dorothy Attwood, AT&T went on the offensive, slamming the group that disclosed the leak as a group of “computer hackers” who “maliciously” exploited a function on the carrier’s authentication page that made the iPad log-in process faster.
The carrier also claimed the group that exposed the flaw “went to great efforts” to extract ICC IDs and their associated e-mails.
In a statement, Goatse Security analyst Escher Auernheimer refuted AT&T’s statement, claiming the carrier failed to notify the public about the problem in a timely manner after being notified by “third parties.”
“AT&T had plenty of time to inform the public before our disclosure. It was not done,” Auernheimer said. “Post-patch, disclosure should be immediate – within the hour. Days afterward is not acceptable. It is theoretically possible that in the span of a day (particularly after a hole was closed) that a criminal organization might decide to use an old dataset to exploit users before the users could be enlightened about the vulnerability.”
AT&T said last week it was notified by a “business customer” of the security flaw on Monday, June 7, and fixed the problem by Tuesday, June 8. Attwood’s letter claims AT&T disabled the Web application’s ability to automatically populate e-mail addresses “within hours” of becoming aware of the situation.
Goatse Security said it notified “third parties who subsequently notified” AT&T before leaking the information of the security breach to Gawker.com, which broke the story on June 9. AT&T confirmed to the media that there was a security breach after the story broke and sent customers a letter about the issue on Sunday, June 13.
Auernheimer also took issue with AT&T’s claims that Goatse Security’s hack of the iPad Web application was malicious and that it “went to great efforts” to discover the security flaw.
“…the finder of the AT&T e-mail leak spent just over a single hour of labor total (not counting the time the script ran with no human intervention) to scrape the 114,000 e-mails,” he said. “(There) was not a hint of maliciousness in our disclosure. We disclosed only to a single journalist and destroyed the data afterward. We did the right thing, and I will stand by the actions of my team and protect the finder of this bug no matter what the cost.”
Auernheimer’s claim that it took just an hour to discover the flaw in AT&T’s Web application is in line with the views of mobile security researchers who told Wireless Week that the security hole could have been easily avoided with better testing of AT&T’s Web applications.