The New York Times has more details on the iPad security breach that led to the arrest of two men yesterday. Andrew Auernheimer, of Fayetteville, and another man were charged with fraud and conspiracy to access a computer without authorization. The men were part of a group called Goatse Security that found a weak spot in AT&T's website that allowed them to gain access to personal information from over 100,000 iPad users.
The Goatse Security group informed AT&T back in June that there was a security flaw that allowed anybody with a web connection to get those passwords, no hacking required. Instead of giving them a medal, they got busted.
The Goatse Security group originally maintained, in an open letter to AT&T in June, that it exposed the security vulnerability on the company’s site to alert it to the problem. The flaw allowed anyone to discover e-mail addresses by submitting potential iPad identification numbers to the site. The group’s post said that “all data was gathered from a public Web server with no password, accessible by anyone on the Internet."...
Richard Wang, manager of the security firm SophosLabs in the United States, said there was “criticism to be leveled at both sides” in the case.
“AT&T’s site wasn’t sufficiently secure,” Mr. Wang said. The company may have felt pressure to take strong action, he said, considering the data leak involved a prominent business partner.