Earlier this week it was reported that AT&T’s web site was hacked. A group of hackers were able to obtain email addresses from the web site by a simple manipulation of request to AT&T’s web site.
Gawker media writes how the hack was done:
Goatse Security obtained its data through a script on AT&T’s website, accessible to anyone on the internet. When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an AJAX-style response within a Web application.
The security researchers were able to guess a large swath of ICC IDs by looking at known iPad 3G ICC IDs, some of which are shown in pictures posted by gadget enthusiasts to Flickr and other internet sites, and which can also be obtained through friendly associates who own iPads and are willing to share their information, available within the iPad “Settings” application.
To make AT&T’s servers respond, the security group merely had to send an iPad-style “User agent” header in their Web request. Such headers identify users’ browser types to websites.
Stealing an email address is not a big deal. However it is an embarrassment to the company that gets hacked. But what if AT&T had credit card information, addresses or more information – it would be more than an embarrassment but a real security nightmare.
What does this mean to you?
1. You should be careful to NOT store any information on your web site, that you don’t want exposed, on your web site. Companies like Propay which have solutions to help you NOT store information on your servers.
2. Ensure custom scripts and programs are thoroughly checked for vulnerabilities.
3. Have your web site checked for vulnerabilities. Services like McAfee’s and Verisign can help you ensure your website code is secure.
Hear a webinar I did on this topic here.