Goatse Security

Gaping Holes Exposed

On disclosure ethics

63 Comments »

There’s some buzz about that the FBI is getting involved with this iPad email leak. Sean Sullivan at F-Secure said “the disclosure was completely irresponsible.” AT&T says we never contacted them. I want to make some things clear.
 
On the AT&T matter and the accusations of irresponsible disclosure, the timeline of the disclosure speaks for itself. AT&T itself admits the problem was closed Tuesday. The Goatse Security analyst responsible for the discovery personally verified this hole was closed Tuesday and no longer a threat to the public before we went to Ryan Tate at Gawker with the dataset and attack details. Ryan Tate was the only one to receive our dataset, and what results from it he published were redacted to prevent the compromise of those involved.
 
I want to summarize this explicitly:
  • All data was gathered from a public webserver with no password, accessible by anyone on the Internet. There was no breach, intrusion, or penetration, by any means of the word.
  • The dataset was not disclosed until we verified the problem was fixed by the vendor.
  • The only person to receive the dataset was Gawker journalist Ryan Tate who responsibly redacted it.
 
We were much nicer to AT&T than say, HD Moore was to Apple when he published exploits for unpatched flaws in the iPhone:
 
We did not contact AT&T directly, but we made sure that someone else tipped them off and waited for them to patch until we gave anything to Gawker. This is as “nice guy” as it gets. We had no interest in direct dialogue with AT&T, but we waited nicely for them to get their house in order and get their hole plugged tight before exposing it.
 
This disclosure needed to be made. iPad 3G users had the right to know that their email addresses were potentially public knowledge so they could take steps to mitigate the issue (like changing their email address). This was done in service of the American public. Do you really think corporate privacy breaches should stay indefinitely secret? I don’t. If you’re potentially on a list of exploit targets because someone has an iPad Safari vulnerability and they scraped you in a gigantic list of emails it is best that you are informed of that sooner than later (after you’ve been successfully exploited). We did this to help you.
 
I think most people’s problem with our disclosure was not the actual disclosure process, but the rhetoric and tone which accompanied it. Also they seem to take issue with how we went to Gawker first. I’ve had multitudes of reporters tell me that “Gawker has problems”. I don’t think that is true. When Valleywag has messed up in the past, I’ve always seen them do a whole new post to print their retraction which always appears at the same level of visibility of the original post. Unlike their competition, where a frontpage mistake is retracted in fine print on page C20 two weeks later. It is funny, because some of the news outlets telling me Gawker has issues were ignoring me when I tried to break this story to them.
 
The rhetoric, tone, and outlet we chose for our disclosure is free speech, plain and simple.
 
I’ve also heard the insinuation in a lot of Internet comments that Gawker paid us for this scoop. This is positively false. None of us made any money off of this disclosure. We did it in public interests. Seriously, we are not poor and do not need handouts from blogging companies.
 
Anyways, there was no illegal activity or unauthorized access, this was not a shady backroom hookers and blow deal with Nick Denton as revenge for the iPhone raid (though that would be totally sweet), we did not sell your data to spammers (on the contrary, we destroyed it after Ryan used it; it had served its purpose to us) and we did not try to hack your iPads. Your iPads are safer now because of us.

There’s some buzz about that the FBI is getting involved with this iPad email leak. Sean Sullivan at F-Secure said “the disclosure was completely irresponsible.” AT&T says we never contacted them. I want to make some things clear.
 
On the AT&T matter and the accusations of irresponsible disclosure, the timeline of the disclosure speaks for itself. AT&T itself admits the problem was closed Tuesday. The Goatse Security analyst responsible for the discovery personally verified this hole was closed Tuesday and no longer a threat to the public before we went to Ryan Tate at Gawker with the dataset and attack details. Ryan Tate was the only one to receive our dataset, and what results from it he published were redacted to prevent the compromise of those involved.
 
I want to summarize this explicitly:
  • All data was gathered from a public webserver with no password, accessible by anyone on the Internet. There was no breach, intrusion, or penetration, by any means of the word.
  • The dataset was not disclosed until we verified the problem was fixed by the vendor.
  • The only person to receive the dataset was Gawker journalist Ryan Tate who responsibly redacted it.
 
We were much nicer to AT&T than say, HD Moore was to Apple when he published exploits for unpatched flaws in the iPhone:
 
We did not contact AT&T directly, but we made sure that someone else tipped them off and waited for them to patch until we gave anything to Gawker. This is as “nice guy” as it gets. We had no interest in direct dialogue with AT&T, but we waited nicely for them to get their house in order and get their hole plugged tight before exposing it.
 
This disclosure needed to be made. iPad 3G users had the right to know that their email addresses were potentially public knowledge so they could take steps to mitigate the issue (like changing their email address). This was done in service of the American public. Do you really think corporate privacy breaches should stay indefinitely secret? I don’t. If you’re potentially on a list of exploit targets because someone has an iPad Safari vulnerability and they scraped you in a gigantic list of emails it is best that you are informed of that sooner than later (after you’ve been successfully exploited). We did this to help you.
 
I think most people’s problem with our disclosure was not the actual disclosure process, but the rhetoric and tone which accompanied it. Also they seem to take issue with how we went to Gawker first. I’ve had multitudes of reporters tell me that “Gawker has problems”. I don’t think that is true. When Valleywag has messed up in the past, I’ve always seen them do a whole new post to print their retraction which always appears at the same level of visibility of the original post. Unlike their competition, where a frontpage mistake is retracted in fine print on page C20 two weeks later. It is funny, because some of the news outlets telling me Gawker has issues were ignoring me when I tried to break this story to them.
 
The rhetoric, tone, and outlet we chose for our disclosure is free speech, plain and simple.
 
I’ve also heard the insinuation in a lot of Internet comments that Gawker paid us for this scoop. This is positively false. None of us made any money off of this disclosure. We did it in public interests. Seriously, we are not poor and do not need handouts from blogging companies.
 
Anyways, there was no illegal activity or unauthorized access, this was not a shady backroom hookers and blow deal with Nick Denton as revenge for the iPhone raid (though that would be totally sweet), we did not sell your data to spammers (on the contrary, we destroyed it after Ryan used it; it had served its purpose to us) and we did not try to hack your iPads. Your iPads are safer now because of us.

63 Responses

[...] In a lengthy blog post, a member of Goatse Security said “there was no illegal activity or unauthorized [...]

  • You seem to have acted completely responsibly. Actually, it looks like you went above and beyond the call of duty. I think the media just likes to hate on Goatse.

  • Well that was enlightening. Thank you!… but I don’t have an iPad anyway hehe. Maybe someday

  • The only problem I had with the disclosure was Gawker’s misleading headline that pointed a finger at Apple. More accurate would have been AT&T.

    • I agree with the misleading headline bit, Jay. This truly wasn’t an Apple issue at all, but one of AT&T. That said, Apple’s refusal to make a statement or otherwise take responsibility makes sense.

      Also, you see the term “security breach” in numerous articles regarding this issue. And I still think the term “breach” implies malicious intent, effort to pass through security measures, when I don’t believe this was the case here. There simply was no security here. Security flaw, perhaps, would be a better term?

      My final point is that there is nothing wrong with going through an intermediary to notify AT&T of the flaw. Who cares, so long as it’s done? But AT&T calling Goatse Security “malicious hackers” is in the range of defamation of character, wouldn’t you say?

  • [...] In a lengthy blog post, a member of Goatse Security states that “there was no illegal activity or unauthorized [...]

  • Well, I still don’t understand the point with e-mail being public. I suppose we all use different e-mails for official, personal, social purposes. So if the user enters his official e-mail in AT&T then he/she has to be blamed. Secondly it has to do something with AT&T to ensure their website is secured and no info is shared with unauthorized persons..

  • Out of curiosity, the data that was discovered on a unsecured web server. If that is the case, could a searchengine crawl and index those addresses? Or would that page have been blocked by robots.txt or require user input?

  • Apple = AT&T as long as they have an exclusive relationship. Why didn’t someone at Apple figure this out first? The iPad has been out for several months now.

  • I think you guys did a fabulous job. Please to be keeping up the good work as it is much needed.

  • As someone else pointed out on another site, if anybody important (i.e., gov, mil) is using these insecure consumer devices to contain official business, instead of a properly encrypted official business only organization-certified device, they’re idiots.

  • When “Weev” tells the Wall Street Journal he is “doing a public service” that’s questionable. Wouldn’t it have been ethically superior and more of a “public service” to have alerted Apple and AT&T when you discovered the flaw weeks ago? I’m sure there is some hacker code or ethos about not telling companies directly, but if you knew weeks ago and did nothing to inform the company, the “public service” argument is silly. More people could have been hurt during the interval between your discovery and subsequent disclosure – so i’m just not buying the line. Sorry, just my two cents.

    • Jennifer–

      The author of this vulnerability did not understand the full implications of this particular bit of code until recently, and had to find a second bit of external data to make it useful. He had a lot other things to do. I am sure you understand how something not being done for profit can fall beneath other priorities in a demanding queue of work.

      • Jennifer-

        Also keep in mind many other computer interested (or hackers) people would have used this in a horrible a way and could have been 10000x worst then it is now, maybe they could have done it a little better but give them the benefit of the doubt and a round of applause, they are good samaritans. They didn’t get any money, they didn’t get any good press; to be honest they are getting trashed by 100s of TV channels and bloggers saying Goatse did something wrong when they did nothing wrong at all.. We, the people, need to stand up and make it clear that they are good.

    • and risk that apple and at&t never inform their consumers? They were right about they way they took things. This caused pressure on At&t to beef up their security, which if it was done privately you could never have been sure of this..

  • Im a white hat hacker and I must say, 10+ to you guys! you went above and beyond to do the nicest thing that you could, most scum-bags would have sold the story to CNN for $10,000 without informing AT&T and putting 100,000+ people at risk. We need more of you guys on the net and less of the media spreading rumors saying you guys hacked it. People need to learn the definition of “hacking” – to make it easy on you guys, here it is: “a person who uses computers to gain unauthorized access to data.” nowhere did you guys use “unauthorized access” to gain any data. You guys are the heros in this story; AT&T, Apple, and the world should thank you!

    So, behalf of everybody — Thank You!

    - Misfit

  • Congratulations on a job well done.

  • [...] The original ‘attackers’ have published a response to the furore here. Pretty much confirms what I was saying “There was no breach, intrusion, or penetration, by [...]

  • [...] AT&T but “made sure that someone else tipped them off,” the group wrote in a blog post. The actions were legal and ultimately improved the security for iPad users, the group [...]

  • [...] Goatse have responded to criticism in their blog at http://security.goatse.fr/blog/?p=5. [...]

  • [...] a blog post Thursday, Goatse said that it did nothing illegal. The group obtained the the e-mail addresses via [...]

  • [...] a blog post Thursday, Goatse said that it did nothing illegal. The group obtained the the e-mail addresses via [...]

  • [...] a blog post Thursday, Goatse said that it did nothing illegal. The group obtained the the e-mail addresses via [...]

  • [...] member of Goatse Security, the company that reportedly pulled off the heist, recently wrote a detailed blog post to clarify things, and, as Gawker reports, to defend the group's actions. The author claims that [...]

  • [...] the iPad, recently suffered an astronomical security breach. A hacker group, calling themselves Goatse Security gained access to the private details and email addresses of nearly 114,000 early purchasers of the [...]

  • Good for you! Too bad there can’t be teams of folks like you checking out oil drilling rigs.

  • Thank you, Goatse Security, for calling attention to this large, open hole left stretched out by the incompetent morons of AT&T. The enormous width of it was astounding and attracted worldwide attention.

    You should be pleased to carry the Goatse name!

  • [...] AT&T but “made sure that someone else tipped them off,” the group wrote in a blog post. The actions were legal and ultimately improved the security for iPad users, the group [...]

  • [...] per capire chi si nasconde dietro al gruppo eGoatse Security, mentre il Team si difende sul blog ufficiale pronunciando le seguenti [...]

  • [...] AT&T but “made sure that someone else tipped them off,” the group wrote in a blog post. The actions were legal and ultimately improved the security for iPad users, the group [...]

  • America, FUCK YA!

  • So At&t has a security flaw that could harm 1000′s of customers. Someone “Goatse” founds out and expose them so this issue can be addressed and prevented. They did not profit in anyway and still their are people defending At&t. Goatse did not created any vulnerability or intrusion they just exposed an open one because of the inept at At&t. Maybe At&t should stop looking for ways to nickel and dime its customer and spend more time making sure their customers data is secure.

  • [...] The people who disclosed the DMCAT&T vulnerability had this, among other things to say: “All data was gathered from a public webserver with no password, accessible by anyone on the Internet. There was no breach, intrusion, or penetration, by any means of the word.” -source [...]

  • I don’t think Goatse (apart from making me look at that homepage) are responsible or been evil, in finding the gaping hole. You are though being controversial at collating so much data and sending it to the Blogger? .. A sample or a video could have been better, but less news worthy.

    I myself found a “gaping hole” of a website developer, and video taped what exploits it lead to and was the foundation of starting this week my own blog is-hacked.com. The video to be released Tuesaday 9AM (GMT).

    Should the FBI investigating Apple and their lapse in judgement on the matter and not Goatse for having a look at what’s in the cupboards?

  • Although at first when I read the media reports I got frustrated, but now I am now very thankful for this issue. You have brought to light a blatant security breach to which AT&T has finally mended. I applaud you at the manner in which you did it as well. I know this sentence sounds controversial, but keep up the good work!

  • [...] a blog post earlier Friday, Auernheimer spelled out Goatse’s case. “All data was gathered from a public [...]

  • [...] a blog post earlier today, Auernheimer spelled out Goatse’s case. “All data was gathered from a [...]

  • Situations like this are much more complicated than merely the existence of a hole, the existence of an exploit, some form of disclosure.

    The dynamics of the situation are huge, and often not immediately visible to the initial participants. It is true that AT&T had some careless web code, and having the whole database on a publicly available server was also questionable.

    At the point that the hackers had several examples of data that should not have been disclosed, they should have contacted Infraguard or some trusted agency. Putting the exploit into “production” and running it for a hundred thousand executions did the following:

    1. Placed a large load in AT&T’s database server, which could have (might have) caused a denial of service situation for them.

    2. Copied a huge amount of AT&T’s proprietary data into an unsecured location where it could have been (and may have been) further compromised. If the output sheets had been stolen, the hackers would have been solely responsible for the bulk of the lost data.

    3. Copied the data over unsecured networks, most likely in unencrypted form, where it could have been (might have been) sniffed and be on the loose today.

    It is my contention, that after the first dozen tests of the exploit, putting the exploit into full scale “production” and harvesting a hundred thousand emails was a goatSE of judgement, oops, I mean a lapSE of judgement.

    And disclosure couold have been made through a credible agency such as CERT.

    I think the name the hackers chose for themselves is strangely appropriate.

    • Doug, Your third objection is the only one I find compelling. Number one, nobody visits AT&T in the first place, so their traffic is mostly generated by billing inquiries that go to secure machines. Number two is laughable. Number three is … meh.

    • Doug,

      1) I assure you this was never at risk of happening. The author of the script is a web scaling expert, and knows how to stagger HTTP requests (follow a simple rule: one at a time!) to not overload a web server.
      2) Unsecured location? Firstly, it was publicly available on the AT&T server. This assertion is ridiculous at the outset. Secondly, we are a security firm. We know how to keep data safe.
      3) Same response as #2.

      If you are an AT&T customer what you should worry about is if somebody else has scraped this previously public data that isn’t us. We went public with this issue entirely so that stewards of important infrastructure would be able to mitigate in this circumstance.

      • Just for my information…

        What exactly did you send to Ryan Tate, and why did you need to send it?

        Randy THompson

  • Props to the Goatse group. Hope to illustrate that some of us out here appriciate your work. I fully support your actions, and will be of any assistance possible.

  • You have done some quality work filling in those gaping holes. I only hope you can find some more in the future ;)

  • [...] its lengthy blog post Goatse Security states “All data was gathered from a public webserver with no password, accessible by anyone on the [...]

  • I was with you until you said “Seriously, we are not poor and do not need handouts…” You’re suggesting the taking of money would be less ethical. If you were poor you might be less ethical and take the money? Because poor people are less ethical? Also, poor people need handouts? Spoken like somebody who doesn’t know from poor. Then, please don’t claim to know what poor people need.

  • I applaud the finding and fixing of holes.

    However, I am not convinced that the exposed data is now protected. Who cleared the various internet caches which some consultants use to reconstruct lost data? Who’s to say that the data has not already been replicated? Now that the problem has been exposed, even if fixed for the future, it seems that chaning your email address is the only real mitigation a user has available.

    To make a bad analogy, imagine someone was walking around with their social security card almost falling out of their hip pocket. A stranger comes by and hands it to the owner. Tuck it back in your wallet and will it be secure again? Maybe, but how many people have already seen it and what will the stranger do with the information? The breach, and unknown number of other breaches have already occurred.

    We need to be able to trust our networks in order to make use of them. A breach gets our attention, but the hole is reason not to trust. Without testing, companies will often make least cost – least effective – decisions around security. Thank you for the security advocacy.

  • Well, done.
    if I read carefully you contacted AT&T first for them to fix the problem. There is another story about a Google developer releasing a zero day exploit on Windows to oblige Microsoft to fix it (as per his claims). It seems there is an issue related to companies handling security. The trend, is to “shoot the messenger” and threaten with lawsuit, instead of committing resources to fix the issue as high priority.

    I feel interesting that no one is charging AT&T for breach of privacy. They have a privacy statement, and many countries have privacy laws. Seems in Canada, they are passing a law that a company must inform its customers if they found a breach of privacy or found liable. Has AT&T apologized to each one of their customers?

    Security is important. It is not taken seriously, there are millions of small computers, on the form of mobile phones that are/will be connected to the Internet. They are so cheap, that I wonder how security patches will be handled if not at all. The story on the iPad is just things to come… Unfortunately….

  • I don’t blame any security researcher for NOT contacting companies directly. They go after you whenever you do, assuming they even take it seriously. They try to sue you out of existence rather than fixing the holes. In the US it should be covered under whistle blower laws but I doubt anyone whose doing serious work in finding vulnerabilities has deep enough pockets to make it stick. Why do I say that? Because anyone with deep enough pockets to make it stick as a whistle blower defense most likely also has an agenda and isn’t doing serious security research anyway.

  • [...] a recent blog post on the Goatse Security’s Web site, a member of the group defended its actions, stating that  [...]

  • [...] it was investigating the security breach, calling it a “potential cyberthreat,” in a recent blog post on the Goatse Security website, a member of the group defended its actions. The post made the [...]

  • [...] said it was investigating the security breach, calling it a “potential cyberthreat," in a recent blog post on the Goatse Security website, a member of the group defended its actions. The post made the [...]

  • There is another twist in this story, I understand a company unhappy about the disclosure of a security flaw which is a hard one to find. It is hard to develop a secure application.

    Here in this case AT&T has shown disregard for basic security procedure. I think this event may push companies to security QA their sotware before release, so the obvious hacks are not possible.

    I remember at one stage the US government wanted to require all the developers it contracts had a security certification. what happened to this plan?

  • [...] it was investigating the security breach, calling it a “potential cyberthreat,” in a recent blog post on the Goatse Security website, a member of the group defended its actions. The post made the [...]

  • [...] and the vulnerability was closed. Gawker published some of the data with the emails removed. Says Goatse: “All data was gathered from a public webserver with no password, accessible by anyone on the [...]

  • [...] and the vulnerability was closed. Gawker published some of the data with the emails removed. Says Goatse: “All data was gathered from a public webserver with no password, accessible by anyone on the [...]

  • [...] member of Goatse Security, the company that reportedly pulled off the heist, recently wrote a detailed blog post to clarify things, and, as Gawker reports, to defend the group’s actions. The author claims [...]

  • Hello, great article. Thanks a lot for sharing.

  • Hello, merci pour cet article. je vous souhaite bonne continuation. Sportivement !

  • [...] the time of its collection and its sharing of the details with Gawker for publication, the group claims that Gawker was the only outside party to receive the information and that the information was [...]

  • [...] story began last week when Goatse Security, a not-so-subtle legitimate front for a group of hackers that like to expose corporate electronic [...]

  • Leave a Reply

    Switch to our mobile site