Hackers exploiting a security loophole on AT&T servers have obtained the e-mail addresses of approximately 114,000 iPad 3G owners and the SIM addresses of their devices. As reported in Valleywag, the hackers employed scripts that emulated a specially formed URL in an iPad-specific AT&T web application. The vulnerability then exposed the information in question. AT&T states the vulnerability has now been closed. According to the original report, the exposed users included some high profile iPad users including Janet Robinson, CEO of New York Times Corporation, ABC news personality Diane Sawyer, New York Mayor Michael Bloomberg, and White House Chief of Staff Rahm Emanuel. There is even the suggestion that all current iPad 3G owners may have been potentially exposed.
There is some dispute as to whether the information involved represents a significant security risk. E-mail addresses are exposed every time a message is sent out into the Internet. There are probably more efficient and profitable ways to obtain e-mail addresses than hunting down obscure HTTP requests and automating them with PHP scripts. Exposure of e-mail addresses on their own may mean the users in question see an uptick in spam but no real security risk is inherent. The exposure of the SIM addresses is another matter. While AT&T contends this doesn’t expose users to any kind of malicious attack, the group that obtained the information, Goatse Security, says it could be used to intercept information. It is unclear whether the SIM address could lead to an attack like obtaining a cell phone ESN can be used to clone a phone and intercept or eavesdrop on calls.
Regardless, this is a costly embarrassment for AT&T at a time when it can least afford it. One has to wonder what sway the telecommunications company holds over Apple. Steve Jobs has tossed out partners for much, much less. Will this latest mistake be the final straw? Only time will tell.
What do you think of this latest mistake by AT&T? Are you an AT&T customer who’s starting to think twice about staying? Is there a point where merely having Apple exclusivity forgives all other errors for AT&T? Let us know in the comments.