A Simple Explanation of the GoatSec iPad not-Hack

1. A Simple Explanation of How the Goatse Security "Account Slurper" Script Worked:
2.  
3. Disclaimer:
4. I am not a member of Goatse Security, nor am I a member of their affiliated trolling group GNAA.
5. I have never seen the code for the Account Slurper, nor have I ever engaged in a conversation with
6. anyone connected to GoatSec or GNAA or Gawker regarding its implementation. This I pieced together
7. just from reading the news articles regarding this case, and my own knowledge of computer science.
8.  
9. Publishing this is perfectly legal because 1) Anyone who knows how to implement this algorithm
10. already knows how to do this anyway. 2) It's a very simple algorithm. 3) Educational purposes
11. for developers in order to better defend against such simple exploits.
12.  
13. And to be honest, it's pathetic that something this simple was able to be used as an exploit.
14. Seriously.
15.  
16. Definition of terms:
17. SIM: Subscriber Identity Module, a chip present in all cellular devices that identifies the device
18. as belonging to a particular user, and contains the digital key allowing a device to connect
19. to a network.
20.  
21. ICCID: A unique serial number that identifies a particular SIM card - essentially, it is the unique
22. identifier for a particular device. It's easy to find a possible ICCID, but ideally only
23. you, your phone and the phone company should be able to find the link between your ICCID
24. and your identity.
25.  
26. URL: A string of characters that identifies a webpage. For example, the URL
27. https://www.youtube.com/watch?v=oF5fIHhsHeM points to a YouTube video parodying the Church of
28. Scientology, and the 'hacker' group Anonymous.
29.  
30. The Algorithm:
31.  
32. Create text file for email address log.
33.  
34. integer icc = <lowest possible value for ICCID>
35. integer max = <highest possible value for ICCID>
36.  
37. do {
38. URL = "http://fake-example.com/some-page&showID?sim=" + icc
39. open URL
40. copy email address from page
41. paste email address into log file
42. icc = icc + 1
43. } while icc is less than or equal to max
44.  
45. Discussion:
46. As you can see, this is a very simple algorithm. All you do is guess an ICCID, and plug it into a
47. URL. If it's valid, it gives you an email address, and now you can link a particular device with
48. a particular person. No password. No authentication that you are who you say you are.
49.  
50. If the Chinese Patriotic Hacker Associations, or organized crime happened to get a hold of this
51. link, and you happened to be a big enough target for them, you know that they would try to break
52. into your device. And the email addresses of several CEOs of large companies, along with high
53. ranking members of the Obama Administration were discovered using this script.
54.  
55. Now, I get that this made users lives easier when they connected to AT&T websites. I get that. And
56. there are ways to get the functionality, that IS secure. One way I can think of is to use Digital
57. Signatures, which proves that you are exactly who you say you are, and so that nobody can
58. impersonate you. This is very easy to code up, and I'm sure there are other methods out there.
59.  
60. Long story short, AT&T did something very irresponsible, and Goatse Security did a public service
61. by informing the media of this security hole.
62.  
63. The irony is that back in the day, AT&T, which owned Bell Labs, created the C programming
64. language and Unix operating system, which was and is still widely praised for its security and
65. stability. Microsoft, on the other hand, is frequently criticized by the same people for
66. insecurity and instability. However, Microsoft, unlike AT&T, publicly thanks people who point
67. out security flaws to them.