Hackers fire back at AT&T, say all iPads at risk to Safari hole

In a blog post Monday, Goatse Security attested that its manipulation of an AT&T web server that spit out the email addresses of over 114,000 iPad 3G subscribers — including many top government and corporate officials — was done as a public service, objecting allegations in AT&T's apology to customers that it acted "maliciously" and went to "great efforts" to perform the hack.

"AT&T had plenty of time to inform the public before our disclosure. It was not done," the group said. "If not for our firm talking about the exploit to third parties who subsequently notified them, they would have never fixed it and it would likely be exploited by […] some other criminal organization or government."

"[The] finder of the AT&T email leak spent just over a single hour of labor total (not counting the time the script ran with no human intervention) to scrape the 114,000 emails," it added.

Escher Auernheimer, a member of Goatse Security, said the group disclosed the data it extruded from AT&T's server to just one journalist and then destroyed the original copy. He went on to accuse AT&T of dragging its feet on alerting customers and being dishonest bout the potential for harm.

"Post-patch, disclosure should be immediate– within the hour," he wrote. "Days afterward is not acceptable. It is theoretically possible that in the span of a day (particularly after a hole was closed) that a criminal organization might decide to use an old dataset to exploit users before the users could be enlightened about the vulnerability."

Separately, Auernheimer took both Apple and AT&T to task for failing correct and alert users to a semantic integer overflow exploit in Safari for the iPad that it discovered and publicized back in March.

"It was patched on Apple’s desktop Safari but has yet to be patched on the iPad," he said. "This bug we crafted allows the viewer of a webpage to become a proxy (behind corporate and government firewalls!) for spamming, exploit payloads, password bruteforce attacks and other undesirables."

A more detailed explanation of the hack posted by Goatse's explains how Safari on the iPad fails to block off access to some nonexistent ports which fall outside the 65536 different values representable in a number of 16 binary digits, also known as a 'short' integer.

Once implemented, the hack can reportedly allow hackers to steal someone else's email identity, reflash network devices with firmware, or trick Safari into doing "pretty much anything on any TCP port and not have any current IDS/IPS in existence be any wiser for it."

"The potential for this sort of attack and the number of iPad users on the list we saw who were stewards of major public and commercial infrastructure necessitated our public disclosure," Auernheimer said. "People in critical positions have a right to completely understand the scope of vulnerability immediately."