Hackers say iPad has more security holes

By David Goldman, staff writer


NEW YORK (CNNMoney.com) -- A day after AT&T fessed up to its iPad 3G customers about a security breach, the hackers that exploited the vulnerability in AT&T's website said there are still lurking security problems related to the iPad.

In a blog post, hacker group Goatse Security said Monday that a "skilled attacker" could take advantage of a weakness in the iPad's Safari Internet browser. The browser's bug could potentially allow someone to gain unwanted access to a user's iPad when that user clicks a malicious link.

Goatse released an explanation of how the bug works on its website: To protect against hacks, Internet browsers typically restrict websites' access to computers through communications channels known as "ports." But Apple's Safari browser failed to block off some illegitimate ports with unusually high numbers. A hacker could use those unguarded channels, in combination with Safari features that automatically execute software requests, to wreak havoc.

"Basically, there is a hole in the iPad Safari version that allows someone to 'own' your machine, " said Hemanshu Nigam, founder of SSP Blue, a cybersecurity consulting firm. "Once they break in, hackers can make your iPad do anything they want and take anything they want from it. It's no different than saying, 'Here you go, it's all yours.'"

Apple fixed the bug on the desktop version of Safari in March, when the security glitch was first discovered. But Apple has still not issued the patch for its mobile version, leaving the iPad vulnerable, according to the hacker group.

Apple (AAPL, Fortune 500) did not immediately respond to a request for comment.

The blog post was written as a response to an e-mail that AT&T (T, Fortune 500) sent to its customers on Sunday evening, in which the wireless giant owned up to a security breach on its website that came to light last week. Goatse Security exploited an AT&T vulnerability to harvest the e-mail addresses that iPad 3G buyers provided to activate their device. As a result, more than 100,000 users' e-mail addresses and their iPads' SIM card ID numbers were released to the public.

In the letter, AT&T called the hack "malicious" and said the hackers went through "great efforts with a random program" to obtain the e-mail addresses.

But Goatse Security said in its blog post that the hack took "just over a single hour of labor total." It accused AT&T -- and Apple -- of not taking security seriously, saying that had the hackers not exposed the vulnerability, AT&T would never have fixed the problem. As evidence, Goatse cited Apple's failure to fully patch the Safari bug Goatse exposed three months ago.

The hacking group also accused the companies of mistreating their customers. The news of the iPad e-mail address hack first came to light last Wednesday, when gossip blog Gawker reported it. But AT&T said it was notified of the bug by a customer two days earlier, and that it patched the hole a day before Gawker's report hit. Still, it took the company until Sunday to make its customers aware of the vulnerability.

"AT&T had plenty of time to inform the public before our disclosure. It was not done," the group said in its blog post. "Post-patch, disclosure should be immediate -- within the hour. Days afterward is not acceptable."

AT&T didn't rise to the bait. "Our letter speaks for itself and we do not have additional comment," a company spokesman said. To top of page

Frontline troops push for solar energy
The U.S. Marines are testing renewable energy technologies like solar to reduce costs and casualties associated with fossil fuels. Play
25 Best Places to find rich singles
Looking for Mr. or Ms. Moneybags? Hunt down the perfect mate in these wealthy cities, which are brimming with unattached professionals. More
Fun festivals: Twins to mustard to pirates!
You'll see double in Twinsburg, Ohio, and Ketchup lovers should beware in Middleton, WI. Here's some of the best and strangest town festivals. Play
Index Last Change % Change
Dow 17,416.85 225.48 1.31%
Nasdaq 4,683.41 45.42 0.98%
S&P 500 2,021.25 19.09 0.95%
Treasuries 1.75 0.03 1.57%
Data as of 8:35pm ET
Company Price Change % Change
Apple Inc 118.90 3.59 3.11%
Bank of America Corp... 15.43 0.23 1.51%
Yahoo! Inc 43.73 -2.73 -5.88%
Microsoft Corp 42.01 0.82 1.99%
Facebook Inc 78.00 1.76 2.31%
Data as of 4:02pm ET

Sections

Shake Shack is a huge success in New York. But will the 'fine casual' burger and fries joint be a big hit with investors too? It looks like Wall Street has worked up its appetite for the Shake Shack IPO. More

The Wednesday announcement that Don Thompson will retire as CEO of McDonald's leaves just two black CEOs in the elite Dow 30. More

Google reported a quarterly profit on Thursday that rose from a year ago, but the company fell short of Wall Street's expectations. More

On demand delivery startup WunWun is expecting its order volume to double by the time they close up shop on Monday. All thanks to a blizzard. More

The IRS said it has carried out thousands of audits of offshore schemes and pursued criminal charges that have resulted in "billions of dollars in criminal fines and restitutions." And it won't stop there. More

Most stock quote data provided by BATS. Market indices are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer.

Morningstar: © 2015 Morningstar, Inc. All Rights Reserved.

Factset: FactSet Research Systems Inc. 2015. All rights reserved.

Chicago Mercantile Association: Certain market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved.

Dow Jones: The Dow Jones branded indices are proprietary to and are calculated, distributed and marketed by DJI Opco, a subsidiary of S&P Dow Jones Indices LLC and have been licensed for use to S&P Opco, LLC and CNN. Standard & Poor's and S&P are registered trademarks of Standard & Poor’s Financial Services LLC and Dow Jones is a registered trademark of Dow Jones Trademark Holdings LLC. All content of the Dow Jones branded indices © S&P Dow Jones Indices LLC 2015 and/or its affiliates.