Jackson Brown - AT&T/iPad Email Address Leak

AT&T/iPad Email Address Leak

In June 2010, Goatse Security uncovered a vulnerability within the AT&T website. AT&T was the only provider of 3G service for Apple's iPad in the United States. When signing up for AT&T's 3G service from an iPad, AT&T retrieves the ICC-ID from the iPad's SIM card and associates it with the email address provided during sign-up. In order to ease the log-in process from the iPad, the AT&T website receives the SIM card's ICC-ID and pre-populates the email address field with the address provided during sign-up. Goatse Security realized that by sending a HTTP request with a valid ICC-ID embedded inside it to the AT&T website, the website would reveal the email address associated with that ICC-ID.

On June 5, 2010, Daniel Spitler, aka "JacksonBrown", began discussing this vulnerability and possible ways to exploit it, including phishing, on an IRC channel. Goatse Security constructed a PHP-based brute force script that would send HTTP requests with random ICC-IDs to the AT&T website until a legitimate ICC-ID is entered, which would return the email address corresponding to the ICC-ID. This script was dubbed the "iPad 3G Account Slurper."

Goatse Security then attempted to find an appropriate news source to confine the leaked information with. weev attempted to contact News Corporation and Thomson Reuters executives, including Arthur Siskind, about AT&T's security problems. On June 6, 2010, weev sent emails with some of the ICC-IDs recovered in order to verify his claims. Chat logs from this period also reveal that attention and publicity may have been incentives for the group.

The tactics used by members of Goatse Security caused a significant debate regarding the proper disclosure of IT security flaws. weev has maintained that Goatse Security used common industry standard practices and has said that, "We tried to be the good guys". Jennifer Granick of the Electronic Frontier Foundation has also defended the tactics used by Goatse Security.

On June 14, 2010 Michael Arrington of TechCrunch awarded the group a Crunchie award for public service. This was the first time a Crunchie was awarded outside the annual Crunchies award ceremony.

The FBI then opened an investigation into the incident, leading to a criminal complaint in January 2011 and a raid on Andrew "weev" Auernheimer's house. The search was related to the AT&T investigation and Auernheimer was subsequently detained and released on bail on state drug charges, later dropped. After his release on bail, he broke a gag order to protest and to dispute the legality of the search of his house and denial of access to a public defender. He also asked for donations via PayPal, to defray legal costs. In 2011 the Department of Justice announced that he will be charged with one count of conspiracy to access a computer without authorization and one count of fraud. A co-defendant, Daniel Spitler, was released on bail.

On November 20, 2012, Auernheimer was found guilty of one count of identity fraud and one count of conspiracy to access a computer without authorization, and tweeted that he would appeal the ruling. Alex Pilosov, a friend who was also present for the ruling, tweeted that Auernheimer would remain free on bail until sentencing, "which will be at least 90 days out."

On November 29, 2012, Auernheimer authored an article in Wired Magazine entitled "Forget Disclosure - Hackers Should Keep Security Holes to Themselves," advocating the disclosure of any zero-day exploit only to individuals who will "use it in the interests of social justice."