Guest User

A Simple Explanation of the GoatSec iPad not-Hack

a guest
Nov 20th, 2012
467
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. A Simple Explanation of How the Goatse Security "Account Slurper" Script Worked:
  2.  
  3. Disclaimer:
  4. I am not a member of Goatse Security, nor am I a member of their affiliated trolling group GNAA.
  5. I have never seen the code for the Account Slurper, nor have I ever engaged in a conversation with
  6. anyone connected to GoatSec or GNAA or Gawker regarding its implementation. This I pieced together
  7. just from reading the news articles regarding this case, and my own knowledge of computer science.
  8.  
  9. Publishing this is perfectly legal because 1) Anyone who knows how to implement this algorithm
  10. already knows how to do this anyway. 2) It's a very simple algorithm. 3) Educational purposes
  11. for developers in order to better defend against such simple exploits.
  12.  
  13. And to be honest, it's pathetic that something this simple was able to be used as an exploit.
  14. Seriously.
  15.  
  16. Definition of terms:
  17. SIM: Subscriber Identity Module, a chip present in all cellular devices that identifies the device
  18. as belonging to a particular user, and contains the digital key allowing a device to connect
  19. to a network.
  20.  
  21. ICCID: A unique serial number that identifies a particular SIM card - essentially, it is the unique
  22. identifier for a particular device. It's easy to find a possible ICCID, but ideally only
  23. you, your phone and the phone company should be able to find the link between your ICCID
  24. and your identity.
  25.  
  26. URL: A string of characters that identifies a webpage. For example, the URL
  27. https://www.youtube.com/watch?v=oF5fIHhsHeM points to a YouTube video parodying the Church of
  28. Scientology, and the 'hacker' group Anonymous.
  29.  
  30. The Algorithm:
  31.  
  32. Create text file for email address log.
  33.  
  34. integer icc = <lowest possible value for ICCID>
  35. integer max = <highest possible value for ICCID>
  36.  
  37. do {
  38. URL = "http://fake-example.com/some-page&showID?sim=" + icc
  39. open URL
  40. copy email address from page
  41. paste email address into log file
  42. icc = icc + 1
  43. } while icc is less than or equal to max
  44.  
  45. Discussion:
  46. As you can see, this is a very simple algorithm. All you do is guess an ICCID, and plug it into a
  47. URL. If it's valid, it gives you an email address, and now you can link a particular device with
  48. a particular person. No password. No authentication that you are who you say you are.
  49.  
  50. If the Chinese Patriotic Hacker Associations, or organized crime happened to get a hold of this
  51. link, and you happened to be a big enough target for them, you know that they would try to break
  52. into your device. And the email addresses of several CEOs of large companies, along with high
  53. ranking members of the Obama Administration were discovered using this script.
  54.  
  55. Now, I get that this made users lives easier when they connected to AT&T websites. I get that. And
  56. there are ways to get the functionality, that IS secure. One way I can think of is to use Digital
  57. Signatures, which proves that you are exactly who you say you are, and so that nobody can
  58. impersonate you. This is very easy to code up, and I'm sure there are other methods out there.
  59.  
  60. Long story short, AT&T did something very irresponsible, and Goatse Security did a public service
  61. by informing the media of this security hole.
  62.  
  63. The irony is that back in the day, AT&T, which owned Bell Labs, created the C programming
  64. language and Unix operating system, which was and is still widely praised for its security and
  65. stability. Microsoft, on the other hand, is frequently criticized by the same people for
  66. insecurity and instability. However, Microsoft, unlike AT&T, publicly thanks people who point
  67. out security flaws to them.
RAW Paste Data