A security breach of the iPad on AT&T network has caused the information of iPad owners exposed, including dozens of CEOs, military officials, and top politicians. The iPad on AT&T could be vulnerable to spam marketing and malicious hacking. The breach lies in the AT&T network, which might have caused about 114,000 user accounts compromised and with some of their confidential information (e.g email) exposed in the US.
The specific information exposed in the breach included the subscriber’s email and their user ID (known as the ICC-ID) for authenticating their subscriber account on AT&T network. Both Apple and AT&T have been contacted by Gawker for comments but no comments have been given by the two companies.
The breach was caused by the AT&T server which the network provider has recently closed the security hole without the user’s awareness. The breach was discovered by a group called Goatse Security, whereby the user’s data e.g. the email address was obtainable by providing the ICC-ID through HTTP request to an Internet-accessible script on AT&T’s website. And the script would return the associated user’s email address in an AJAX-style response within a web app.
Apparently, some programmers/web developers might be lacking of proper understanding of AJAX-style response of a web app, although AJAX app sends request and receives response in the browser’s background, but experienced web developer/technical user can easily discover how the request to be sent and received by viewing the source code of the JavaScript of a web app. Therefore, there is a need to take some security measurement for AJAX web app.
Anyway, Gawker thinks Apple should bear the responsibility for ensuring the privacy of its users, with their comments as follows:
Although the security vulnerability was confined to AT&T servers, Apple bears responsibility for ensuring the privacy of its users, who must provide the company with their email addresses to activate their iPads. This is particularly the case given that U.S. iPad 3G customers have no choice in mobile carriers — AT&T has an exclusive lock, at least for now. Given the lock-in and the tight coupling of the iPad with AT&T’s cellular data network, Apple has a pronounced responsibility to patrol the network vendors it chooses to align and share customer data with.
In addition to complicating the AT&T-Apple relationship, the breach will also likely unnerve customers thinking of buying iPads that connect to AT&T’s cellular network. And it will do so at a pivotal moment, with the iPad 3G early in its sales cycle. Brisk sales for the original wi-fi iPad had promised to turn the 3G model into a similar profit machine. But further questions about AT&T, already widely ridiculed for its bad service, are going to make people think twice about spending up to $830 and $25 per month on the iPad 3G.
Lots of big names affected. New York Time has even emailed all staff suggesting they “turn off your access to the 3G network on your iPad until further notice”. And AT&T has sent Gawker a statement apologizing for the breach. Read more about the breach on Gawker!
Leave a Reply
You must be logged in to post a comment.