FBI investigates Goatse's harvesting of iPad user e-mail addresses

The researchers from Goatse Security were able to access the e-mail addresses of 114,000 users of the 3G iPad because of a flaw in the website of iPad US carrier AT&T.

Goatse Security found a web application on AT&T's website that returned an iPad user's e-mail address when it was sent specially written queries.

The group wrote an automated script to repeatedly query the site and harvest the addresses of iPad users in the US, including top company executives, government officials and military officers.

The FBI is investigating how private information about iPad users was compromised and whether the actions of the researchers constitute a crime, according to US reports.

US law prohibits the unauthorized access of computers, but it is unclear whether the script used by Goatse Security qualifies.

Goatse Security maintains there was no illegal activity or unauthorized access involved and said in a blog post that although it did not contact AT&T directly, it made sure the company was tipped off.

The security vulnerability was fixed before it was publicized, all the private user information gathered was destroyed, and no remuneration was received, the group said.

"This disclosure needed to be made. iPad 3G users had the right to know that their e-mail addresses were potentially public knowledge so they could take steps to mitigate the issue (like changing their e-mail address). This was done in service of the American public," the group said.

According to Goatse Security, there was no breach, intrusion or penetration because all data was gathered from a public webserver with no password, accessible by anyone on the Internet.

“The FBI is aware of these possible computer intrusions and have opened an investigation to address the potential cyber threat,” FBI spokesman Jason Pack told Reuters.

AT&T, which launches the iPhone 4 on June 24, said only e-mail addresses were exposed to hackers who identified a security weakness. It said it has corrected the flaw, but declined to comment on the FBI probe.

This story was first published by Computer Weekly

What’s hot on Infosecurity Magazine?