Up to 114,000 iPad owners have had their privacy breached thanks to a snafu on the part of AT&T that ultimately (but inadvertently) traded user convenience for security.
The vulnerability was discovered by researchers at Goatse security, who were able to write a script that harvested iPad 3G owners’ ICC-IDs (or integrated circuit card identifier, used to identify SIM cards to a network) and email addresses through the exploitation of a hole on AT&T’s website.
Gizmodo’s tiny ginger dwarf and all-around best writer Matt Buchanan sat down with AT&T’s chief security officer Ed Amoroso to learn the details of the problem. Essentially, when you sign up for service on the 3G iPad, AT&T links your iCC-ID and the email-address you specify. GoatSec’s brute force attack was accomplished by sending any possible ICC-ID numbers against AT&T’s website and recording the email addresses it spit back at them.
AT&T has reacted quickly and already turned off the feature. On the positive side, the only details anyone has gotten out of this is, at worst, your email address… but with more and more politicians turning to the iPad to conduct matters of state, even that small bit of data leaking out to hackers is an alarming security gaffe.