The iPad could have more security flaws than the one found on AT&T's web site last week. In a posting Monday, hacker site Goatse Security said "all iPads are vulnerable" because of a weakness in Apple's Safari browser. The notice was in response to an e-mail sent to iPad owners this weekend by AT&T, in which the carrier apologized but blamed the incident on "malicious" hackers.
According to Goatse, a user could click a malicious link in the browser and the security hole could allow unauthorized access to the iPad. The site said Safari does not block off high-numbered, illegitimate ports, or communication channels. This, in combination with the browser's ability to automatically fulfill software requests, could spell trouble. Apple hasn't released a fix or a statement.
'Malicious,' Result of 'Great Effort'
The posting about Safari's vulnerability was a retort to AT&T's apology. Goatse brought attention last week to a vulnerability in the carrier's web site that allowed the acquisition of more than 100,000 iPad users' SIM card ID numbers and e-mail addresses.
In its e-mail sent Sunday, Dorothy Attwood, AT&T's senior vice president and chief privacy officer, called Goatse's hack "malicious" and the result of "great effort." She added that "unauthorized computer 'hackers' maliciously exploited a function designed to make your iPad log-in process faster." AT&T said it turned off the web-site feature that made the security breach possible.
Some observers have said AT&T should not be storing confidential information on a publicly accessible web site. The list of e-mail addresses included many high-profile individuals, including staff members in the U.S. Senate and House of Representatives, and employees at the Justice Department, NASA, Department of Homeland Security, The New York Times, Dow Jones, Viacom, Time Warner, and News Corp.
'No Breach, Intrusion or Penetration'
Goatse countered AT&T's e-mail by noting that the breach took only an hour. It charged that neither AT&T nor Apple were taking security seriously. The FBI has said it is investigating the breach.
Although AT&T accused Goatse of irresponsibly making the vulnerability public, the security site said it disclosed the threat only after the hole was closed and no longer a threat. It added that it retrieved all the confidential information from AT&T's public web server without a password and "there was no breach, intrusion or penetration."
Goatse said "this disclosure needed to be made," arguing that "iPad 3G users had the right to know that their e-mail addresses were potentially public knowledge so they could take steps to mitigate the issue," like changing their address.