Hackers fire back at AT&T, say all iPads at risk to Safari hole

Posted:
in iPad edited January 2014
Disgruntled at having been characterized as 'malicious' by AT&T, the group of hackers who exploited a hole in the wireless operator's website last week have fired back by accusing both AT&T and Apple of acting irresponsibly in regard to iPad security.



In a blog post Monday, Goatse Security attested that its manipulation of an AT&T web server that spit out the email addresses of over 114,000 iPad 3G subscribers -- including many top government and corporate officials -- was done as a public service, objecting allegations in AT&T's apology to customers that it acted "maliciously" and went to "great efforts" to perform the hack.



"AT&T had plenty of time to inform the public before our disclosure. It was not done," the group said. "If not for our firm talking about the exploit to third parties who subsequently notified them, they would have never fixed it and it would likely be exploited by […] some other criminal organization or government."



"[The] finder of the AT&T email leak spent just over a single hour of labor total (not counting the time the script ran with no human intervention) to scrape the 114,000 emails," it added.



Escher Auernheimer, a member of Goatse Security, said the group disclosed the data it extruded from AT&T's server to just one journalist and then destroyed the original copy. He went on to accuse AT&T of dragging its feet on alerting customers and being dishonest bout the potential for harm.



"Post-patch, disclosure should be immediate– within the hour," he wrote. "Days afterward is not acceptable. It is theoretically possible that in the span of a day (particularly after a hole was closed) that a criminal organization might decide to use an old dataset to exploit users before the users could be enlightened about the vulnerability."



Separately, Auernheimer took both Apple and AT&T to task for failing correct and alert users to a semantic integer overflow exploit in Safari for the iPad that it discovered and publicized back in March.



"It was patched on Apple’s desktop Safari but has yet to be patched on the iPad," he said. "This bug we crafted allows the viewer of a webpage to become a proxy (behind corporate and government firewalls!) for spamming, exploit payloads, password bruteforce attacks and other undesirables."



A more detailed explanation of the hack posted by Goatse's explains how Safari on the iPad fails to block off access to some nonexistent ports which fall outside the 65536 different values representable in a number of 16 binary digits, also known as a 'short' integer.







Once implemented, the hack can reportedly allow hackers to steal someone else's email identity, reflash network devices with firmware, or trick Safari into doing "pretty much anything on any TCP port and not have any current IDS/IPS in existence be any wiser for it."



"The potential for this sort of attack and the number of iPad users on the list we saw who were stewards of major public and commercial infrastructure necessitated our public disclosure," Auernheimer said. "People in critical positions have a right to completely understand the scope of vulnerability immediately."
«13

Comments

  • Reply 1 of 57
    robin huberrobin huber Posts: 3,224member
    Are the Feds still looking at these guys? They're so tough ragging on AT&T and Apple. I'd be impressed if they'd "fire back" at the FBI.
  • Reply 2 of 57
    christophbchristophb Posts: 1,438member
    ". . .likely be exploited by [?] some other criminal organization or government."



    This is the only part of the article I disagree with. There's no difference between a criminal organization and government. Separate terms implies a distiction where none exists.







  • Reply 3 of 57
    anakin1992anakin1992 Posts: 283member
    is this applicable on iphone safari as well? i am not clear whether short integer overflow is the same problem as that by att. can any one clarify it?
  • Reply 4 of 57
    oxygenhoseoxygenhose Posts: 236member
    Oh wow, idiots with scripts they downloaded from a 'hacking' toolkit.



    These morons are only out for publicity, they'll keep saying whatever garbage they can pull out of their butts to stay in the news. Gizmodo is highlighting these retards to try and give Apple a black eye. What's amazing is that it took a whole team of these idiots to come up with this, haven't they heard that Google is harvesting wifi data on a global level? Kind of pathetic as a hack, but then again, I'm sure pathetic and goatse go hand in hand... maybe they should try and hack their way into a date with a real live person? I've heard that severe acute cases of virginitus can cause one to do these types of things.



    I've got the same skills without any hacker script kit... Just send me your ATM cards and I'll match them to my database of PINs that I 'accessed' through a security hole.

    3758

    2269

    1173

    0348

    2142

    6785

    1234

    0000

    It's that genius. If only I had the amount of time that Goatse's team can dedicate to watch a script randomly generate numbers.

  • Reply 5 of 57
    Quote:
    Originally Posted by AppleInsider View Post


    "AT&T had plenty of time to inform the public before our disclosure. It was not done," the group said. "If not for our firm talking about the exploit to third parties who subsequently notified them, they would have never fixed it and it would likely be exploited by [?] some other criminal organization or government."



    ...



    "Post-patch, disclosure should be immediate? within the hour," he wrote. "Days afterward is not acceptable. It is theoretically possible that in the span of a day (particularly after a hole was closed) that a criminal organization might decide to use an old dataset to exploit users before the users could be enlightened about the vulnerability."



    In other words...



    "You AT&T people! We did this iPad FUD attack, and you didn't immediately turn around and amplify our FUD!"



    Where's the part where this security company explains why they didn't report the problem directly to AT&T?



    Personally, I find it extremely suspicious that this company is using Gawker as their FUD distribution network. I hope the FBI expands their investigation to determine whether this data breach problem is part of Gawker's petulant vengeance thing.
  • Reply 6 of 57
    sensisensi Posts: 346member
    Quote:
    Originally Posted by anakin1992 View Post


    is this applicable on iphone safari as well? i am not clear whether short integer overflow is the same problem as that by att. can any one clarify it?



    Yep, it still seems applicable to the iphone, ipod and ipad version of safari. Currently only Safari desktop version was patched.



    Quote:

    List of Webkit-based browsers found to be affected:



    * OS X Safari

    * iPhone/iPod Safari

    * iPad Safari (confirmed with iPad Simulator in SDK 3.2 beta 4 w/ XCode 3.2.2)

    * Arora

    * iCab

    * OmniWeb

    * Stainless



    The only Webkit-based browser found to not be vulnerable:



    * Google Chrome



    cf. http://encyclopediadramatica.com/Safari_XPS_Attack
  • Reply 7 of 57
    anakin1992anakin1992 Posts: 283member
    Quote:
    Originally Posted by TalkinMan View Post


    In other words...

    I hope the FBI expands their investigation to determine whether this data breach problem is part of Gawker's petulant vengeance thing.



    you meant:



    1: gizmodo's iphone4 exposure?

    2: ryan tate's heated email exchange with steve job who disparaged ryan as a useless snob?

    3: steve job's disparage on web bloggers vs traditional media?
  • Reply 8 of 57
    shobizshobiz Posts: 207member
    Quote:
    Originally Posted by TalkinMan View Post


    In other words...



    "You AT&T people! We did this iPad FUD attack, and you didn't immediately turn around and amplify our FUD!"



    Where's the part where this security company explains why they didn't report the problem directly to AT&T?



    Personally, I find it extremely suspicious that this company is using Gawker as their FUD distribution network. I hope the FBI expands their investigation to determine whether this data breach problem is part of Gawker's petulant vengeance thing.



    Anything even remotely associated with Gawker is suspect for me now.
  • Reply 9 of 57
    Quote:
    Originally Posted by anakin1992 View Post


    you meant:



    1: gizmodo's iphone4 exposure?

    2: ryan tate's heated email exchange with steve job who disparaged ryan as a useless snob?

    3: steve job's disparage on web bloggers vs traditional media?



    I'm never going on to gawker or any of their websites, after what they did to the poor apple engineer who lost the phone. That being said, I think this thing is getting blown out of proportion.
  • Reply 10 of 57
    thomprthompr Posts: 1,510member
    Quote:
    Originally Posted by AppleInsider View Post


    Escher Auernheimer, a member of Goatse Security, said the group disclosed the data it extruded from AT&T's server to just one journalist and then destroyed the original copy. He went on to accuse AT&T of dragging its feet on alerting customers and being dishonest bout the potential for harm.



    Can anybody explain why Goatse Security felt compelled to actually provide the data to a journalist? There was already a story there without actually providing the data (that they acknowledge as private).



    By sending the private data out like that, they could no longer vouch for its security. (Wouldn't this be a fairly big no-no if this were a REAL security organization?)



    Thompson
  • Reply 11 of 57
    blursdblursd Posts: 123member
    This reminds me of an article I was reading on Dagens Nyheter (Daily News) a couple days back. There was a motorist in Sweden that was pissed off about cyclists on the roads, so when one got in his way in the middle of a roundabout he he rammed him off the road. When asked by the police if he felt he did anything wrong he said, "If he didn't want to get hit by a car he shouldn't have been on the road."



    This seems to be the same justification these people used ... AT&T was doing something we don't like and that we consider reckless so we're going to hit them with our car (metaphorically speaking).
  • Reply 12 of 57
    Seriously, everyone saying how all the blogs are so anti-Apple these days is getting really irritating. Sounds like Sarah Palin whining about the “mainstream media.” Are the blogs perfectly unbiased? Probably not; they’re blogs after all. But they aren’t anywhere close to being bad enough that one would have completely avoid them. Sometimes it’s good to read views that oppose your own.



    Quote:
    Originally Posted by blursd View Post


    This seems to be the same justification these people used ... AT&T was doing something we don't like and that we consider reckless so we're going to hit them with our car (metaphorically speaking).



    If Goatse Security had gone on to maliciously use the email addresses, then yeah, your analogy might be correct. However, they simply proved a problem existed and then reported it. It would be similar to the Sweden driver taking a picture of the cyclists crowding the road and giving it to the local newspaper, rather than him ramming a cyclist.



    P.S. If that anecdote is true, then seriously Mr. Driver, just chill out - why risk seriously hurting another person? At least the cyclist isn’t contributing to our lovely dependence on oil. I know cyclists get annoying, but man, maybe if we all did it more our obesity rate wouldn’t be an astounding 1/3.



    /rant
  • Reply 13 of 57
    Quote:
    Originally Posted by thompr View Post


    Can anybody explain why Goatse Security felt compelled to actually provide the data to a journalist?



    At the Gawker article they explained that they first notified AT&T, and waited until after the hole was closed before talking with the reporter. As noted in this article, they had hoped AT&T would do right by Apple's customers and let them know of this security breach, but AT&T chose not to inform Apple's customers in a timely manner so Goatse did it for them.
  • Reply 14 of 57
    justflybobjustflybob Posts: 1,337member
    The only "hole" in this case are the hackers.



    Just buy a vowel and add "A".
  • Reply 15 of 57
    adonissmuadonissmu Posts: 1,772member
    I mean seriously. Apple will be very secure after these guys get finished with them.
  • Reply 16 of 57
    aplnubaplnub Posts: 2,584member
    Quote:
    Originally Posted by justflybob View Post


    The only "hole" in this case are the hackers.



    Just buy a vowel and add "A".



    You mean buy a vowel and add two ss's?
  • Reply 17 of 57
    adonissmuadonissmu Posts: 1,772member
    Quote:
    Originally Posted by RationalTroll View Post


    At the Gawker article they explained that they first notified AT&T, and waited until after the hole was closed before talking with the reporter. As noted in this article, they had hoped AT&T would do right by Apple's customers and let them know of this security breach, but AT&T chose not to inform Apple's customers in a timely manner so Goatse did it for them.



    That still doesn't justify them illegally getting people's personal information and illegally distributing it to others. ATT didn't need to tell anyone, if no information was harvested. Anyone can have a security hole? Whenever you are putting your information you are always at risk on the internet. However, leaking it to customers would've been wrong because now you have let other criminals know about the hole. Had they known emails were harvested from the get go they would've let people know.
  • Reply 18 of 57
    poochpooch Posts: 768member
    Quote:
    Originally Posted by Planet Blue View Post


    P.S. [...] At least the cyclist isn?t contributing to our lovely dependence on oil. [...]



    chances are they are riding on tires made with some amount of petroleum product, however small that might be, relatively speaking. and how many tires does one go through in a year?



    ... and the asphalt they ride on has some crude oil component.



    ... how much oil was used to manufacture and deliver the bicycle?



    so i get the gist of your statement, but it's not absolutely true.



    i'm just sayin'
  • Reply 19 of 57
    commun5commun5 Posts: 36member
    Too many coincidences here. Goatse Security, who claims that their penetration of the AT&T website is an act of protecting American national security for the sake of "their country," decides to use a French web address for their website. Goatse Security just happens to decide to give an exclusive story to Ryan, who has had an email run-in with Steve Jobs, at Valleywag, a blog owned by Gawker Media, who is in litigation with the police and Apple over the alleged purchase of a stolen prototype of the iPhone 4. Goatse Security, of course, says they received no compensation from Gawker Media for this exclusive story, but they give Ryan a full list of the emails recovered from their penetration of the AT&T website "to prove that they were successful." Valleywag just happens to decide to run the story in a way that blames Apple, rather than AT&T, for the security problem. Goatse Security just happens to decide not to inform AT&T, but to make sure that "someone tipped them off."



    Guess it isn't a coincidence that the FBI chose to investigate Gawker's involvement in this situation.
  • Reply 20 of 57
    Quote:
    Originally Posted by AdonisSMU View Post


    That still doesn't justify them illegally getting people's personal information and illegally distributing it to others. ATT didn't need to tell anyone, if no information was harvested. Anyone can have a security hole? Whenever you are putting your information you are always at risk on the internet. However, leaking it to customers would've been wrong because now you have let other criminals know about the hole. Had they known emails were harvested from the get go they would've let people know.



    Goatse claims that the only copy of the data they had was given to the reporter, and their own destroyed. Any data in the wild is a result of the exposure AT&T created for themselves, not from Goatse's sharing of the data with one reporter.
Sign In or Register to comment.