Hackers were right to disclose AT&T-iPad site hole
They might have been gloating by revealing 114,000 e-mail addresses, but the Goatse Security guys acted responsibly in waiting for AT&T to fix a hole they found before going public about it.
commentary If you are an iPad 3G user, it's possible that your e-mail address is in the hands of malicious hackers who could send you e-mails with malware targeted to infect your device. There's also the possibility--albeit much slimmer--that someone could use the serial number for your device to get more information on you and even track your whereabouts.
That's because of a hole in AT&T's customer Web site for iPad 3G users that became public last week. (You can read more details about it here.)
AT&T issued an apology to its affected iPad 3G customers this weekend, but the company mostly used the e-mail to blame the hackers who discovered the problem instead of accepting responsibility for its own security oversight.
That situation, and one involving a Google researcher who last week disclosed a hole affecting Windows before Microsoft had a chance to fix it, are provoking debate on what researchers should do when they find a security vulnerability that puts consumers and corporations at risk.
In the AT&T case, the group indirectly informed AT&T about the hole through a third-party and then disclosed the information about the security flaw to Gawker, which broke the story. The hackers--who call themselves Goatse Security--waited until after AT&T had fixed the problem before going public.
Whereas Google researcher Tavis Ormandy disclosed the information about the flaw he discovered in a Windows online support center to Microsoft to a security e-mail list five days after reporting it to Microsoft. He included proof-of-concept code to exploit the hole along with a workaround, which Microsoft says doesn't work. Microsoft issued its own fix on Friday for the unpatched hole, also known as a zero-day vulnerability. Basically, anyone running the affected software who doesn't use the fix is vulnerable.
Ormandy declined to comment about his actions last week, and Google issued a statement saying that Ormandy's research on that vulnerability was his own and not done on behalf of the company.
Security researchers often disclose holes to keep vendors honest. Many sources complain that they notify companies of security vulnerabilities and that the companies take months, or even years, to provide a fix to customers. In the meantime, malicious hackers may have discovered the same hole and may be using it to steal data, infect computers, or attack systems without the computer owner knowing there is even a risk.
In a letter in response to AT&T's e-mail to customers, Goatse Security said in a blog post on Monday that the group had released a semantic integer overflow exploit for Safari in March that was patched for desktop users but not for iPad users. "This bug we crafted allows the viewer of a webpage to become a proxy (behind corporate and government firewalls!) for spamming, exploit payloads, password bruteforce attacks and other undesirables. The kicker is that this attack cannot be detected by any current IDS/IPS system," the group wrote.
In the AT&T case, Goatse Security members claim that they were acting in the public interest. However, they also must have anticipated that they would shame AT&T and generate attention for themselves.
Despite the group's juvenile name and history of trolling, Goatse Security acted responsibly by waiting until the hole was closed to go public.
Why go public at all at that point? Because they may not have been the only ones to discover and exploit the flaw. iPad users should know about the threat so they can be on guard for targeted e-mail attempts to take advantage of their exposed information.
There is a difference between exposing a vulnerability and exploiting a vulnerability, though. Did Goatse Security have to harvest 114,000 iPad user e-mails to prove that the problem was real? Not really. Even revealing a couple of e-mail addresses would have been enough to serve that purpose. It's likely the Goatse guys took pleasure in embarrassing AT&T and the more e-mails exposed the worse AT&T looks.
The group's work still treads into muddy waters.
"Web site research has a risk of crossing the line into unauthorized access or exceeding authorized access as defined by the CFA (Computer Fraud and Abuse Act)," Chris Wysopal, chief technology officer of Veracode, wrote in a blog post on Monday.
AT&T's Web site was designed to display the e-mail address associated with the device's SIM serial number and all Goatse Security really did was use the site in a way AT&T had not accounted for.
AT&T doesn't see it that way. The company says it will "cooperate with law enforcement in any investigation of unauthorized system access and to prosecute violators to the fullest extent of the law."
It's time for the industry to come up with standards for disclosure that are ethical and which protect consumers from threats while giving vendors and Web site owners adequate time to address the vulnerabilities.
Researchers, many of whom are not compensated for their work, should be rewarded for their research and not vilified if they act responsibly. But the industry must decide to do this and agree on which is the bigger threat--the unpatched hole or the headline-seeking security researcher.
"The challenge is in determining what is an attack and what is research," Wysopal said.