Security flaw exposes more than 114,000 iPad email IDs

10 Jun 2010

A security weakness has been discovered by Apple’s mobile partner in the US AT&T that is estimated to have exposed more than 114,000 email addresses of iPad users.

The vulnerability, revealed by blog site Valley Wag yesterday, affected only iPad users who signed up for AT&T’s 3G wireless internet service.

The flaw is understood to have involved an insecure way in which AT&T’s website would prompt iPad users when they log into their AT&T accounts through the devices.

“The issue has escalated to the highest levels of the company and was corrected by Tuesday,” AT&T said in a statement published in the Washington Post. “We have essentially turned off the feature that provided the email addresses.”

The site originally would supply users’ email addresses to make log-ins easier, based on unique codes contained in SIM cards inside the iPads.

Goatse Security – the hacker group that claims to have discovered the flaw – said it was able to trick the site into revealing as many as 114,000 email addresses, including politicians and media figures, such as William Eldredge, commander of the US Air Force’s B-1 Strategic Bomber Group.

AT&T said it would notify all iPad owners whose address may have been revealed by the hack.

The specific information exposed in the breach included subscribers’ email addresses, coupled with an associated ID used to authenticate the subscriber on AT&T’s network, known as the ICC-ID.

Photo: The Apple iPad

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com