Posted by Chenxi Wang on June 10, 2010
Valleywag reported yesterday that a hack targeting AT&T’s infrastructure led to the disclosure of 114,000 iPad owners' email addresses, including those of prominent celebrities, politicians, and high-profile industry figures.
As far as we can gather at this point, this is most likely a parameter tampering attack. The hackers attacked AT&T’s iPad support Web application, traversed through a range of ICCIDs (Integrated Circuit Card Identifiers), and were able to eventually obtain valid iPad owners’ email addresses without proper authentication.
If this is indeed true, AT&T has done a poor job designing their Web applications — being able to guard against automated parameter traversal attacks is one of the first things you do to secure your Web apps. One can launch an automatic parameter traversal attack fairly easily these days: It does not require sophisticated technology or advanced reconnaissance on the victim Web application.
This attack apparently only affected iPad 3G users, not those with Wi-Fi-only iPads. AT&T's official response stated that this particular flaw on their Web application has been remediated.