Citation:
Goatse Security obtained its data through a script on AT&T's website, accessible to anyone on the internet. When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an AJAX-style response within a Web application. The security researchers were able to guess a large swath of ICC IDs by looking at known iPad 3G ICC IDs, some of which are shown in pictures posted by gadget enthusiasts to Flickr and other internet sites, and which can also be obtained through friendly associates who own iPads and are willing to share their information, available within the iPad "Settings" application.
To make AT&T's servers respond, the security group merely had to send an iPad-style "User agent" header in their Web request. Such headers identify users' browser types to websites.
The group wrote a PHP script to automate the harvesting of data. Since a member of the group tells us the script was shared with third-parties prior to AT&T closing the security hole, it's not known exactly whose hands the exploit fell into and what those people did with the names they obtained. A member tells us it's likely many accounts beyond the 114,000 have been compromised.
Bref, un web developer a commis une imprudence en retournant automatiquement une adresse email client lorsqu'il recevait un identifiant de carte SIM + header ipad.
Citation:
HTTP headers supplied by your browser (80.125.176.121):
Host: pgl.yoyo.org
User-Agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0_1 like Mac OS X; fr-fr) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A400 Safari/528.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: fr-fr
Accept-Encoding: gzip, deflate
X-Vfprovider: SFR
X-Vfstatus: 10
X-Nokia-Bearer: UMTS
Servicecontrolinfo: 18+=-
X-Nokia-Gid: 256071628134689
X-Nokia-Connection-Mode: TCP
X-Nokia-Gateway-Id: NWG/4.1/Build79
X-Nokia-Ipaddress: 10.115.249.94
Via: 1.1 proxy.cwg.net (proxy)
X-Forwarded-For: 10.115.249.94, 10.115.249.94
Cache-Control: max-age=259200
If-Modified-Since: Tue, 15 Jun 2010 18:34:02 GMT
Connection: Keep-Alive
Pragma: no-cache
X-Bluecoat-Via: 4E602D01B7A6BF50
et si je le mets là, c'est qu'après vérification, il ne contient pas grand chose d'absolument individuel (si ce n'est que je suis chez SFR).
Citation:
Location:
HTTP_X_CELL_TOWER_CURRENT_ID="0"
HTTP_X_CELL_TOWER_CURRENT_SIGNAL_STRENGTH="-256"
HTTP_X_CELL_TOWER_CURRENT_TIME="5/15/2009 6:13:4 GMT/Zulu"
HTTP_X_CELL_TOWER_PREVIOUS_ID="13338"
HTTP_X_CELL_TOWER_PREVIOUS_TIME="5/14/2009 13:58:17 GMT/Zulu"
HTTP_X_CELL_TOWER_SIGNAL_PREVIOUS_STRENGTH="-70"
HTTP_X_GPS_CURRENT_ALTITUDE="-1962.0 m"
HTTP_X_GPS_CURRENT_DIRECTION="335.5829"
HTTP_X_GPS_CURRENT_LATITUDE="39.474105"
HTTP_X_GPS_CURRENT_LONGITUDE="-104.912521"
HTTP_X_GPS_CURRENT_SPEED="20.93 m/s"
HTTP_X_GPS_CURRENT_TIME="5/14/2009 11:44:16 GMT/Zulu"
HTTP_X_GPS_PREVIOUS_ALTITUDE="-1962.0 m"
HTTP_X_GPS_PREVIOUS_DIRECTION="357.64343"
HTTP_X_GPS_PREVIOUS_LATITUDE="39.474105"
HTTP_X_GPS_PREVIOUS_LONGITUDE="-104.912521"
HTTP_X_GPS_PREVIOUS_SPEED="26.93 m/s"
HTTP_X_GPS_PREVIOUS_TIME="5/14/2009 11:43:58 GMT/Zulu"
Owner Information:
HTTP_X_EMAIL_ADDRESS="john.doe@5o9inc.com"
HTTP_X_NAME="John Doe"
HTTP_X_ZIPCODE="96849"
Custom Data Fields:
HTTP_X_ME_CUSTOM_ITEM_1="1"
HTTP_X_ME_CUSTOM_ITEM_2="2"
HTTP_X_ME_CUSTOM_ITEM_3="3"
HTTP_X_ME_CUSTOM_ITEM_4="4"
Device:
HTTP_X_BROWSER_HEIGHT="480"
HTTP_X_BROWSER_VERSION="4.6.0.167"
HTTP_X_BROWSER_WIDTH="320"
HTTP_X_CARRIER="SRVC=0 TYPE=7"
HTTP_X_DEVICE_OS="4.6.0.167 (Platform 4.0.0.157)"
HTTP_X_DEVICE_TYPE="BlackBerry 9000"
HTTP_X_SCREEN_COLORS="65536"
HTTP_X_SCREEN_HEIGHT="480"
HTTP_X_SCREEN_RESOLUTION="Horz=8547PPM Vert=8547 PPM"
HTTP_X_SCREEN_WIDTH="320"
Windows Mobile Specific Fields:
HTTP_X_ME_ALLOW_ALL_DOMAINS="No"
HTTP_X_ME_CONVERT_NMEA="Yes"
HTTP_X_ME_DSR_SENSITIVITY="Yes"
HTTP_X_ME_JSAPI_ALLOW="Yes"
HTTP_X_ME_JSAPI_VERSION="JSAPI/1.2.3
Enfin, le ICCID n'est pas à proprement parler une information confidentielle (il est notamment imprimé sur le carton du téléphone -dans le cas de package sim+mobile- ou de la carte sim, donc visible dans les magasins) et si le système informatique de l'opérateur est bien conçu, il ne mène pas aux données personnelles de l'utilisateur.