In-depth analysis of a PHP attack that lead to Apple information disclosure

Recently over 100,000 Apple customers were affected by an information disclosure attack on the AT&T website. Security experts blame this breach on “poorly designed software”. An analysis of the attack reveals that the hackers did indeed use a classic PHP attack, in fact the only tool used in this breach was a PHP script that enumerated all ICC-ID numbers, and launched an HTTP GET request for each ID. If an ID matched an Apple iPad subscriber, his or her email address was revealed.
The image below shows just a snippet of the information harvested by the attackers. You will notice that in this list exist many US Military and Government email addresses. This begs the question; why are users of the US Whitehouse, DARPA and army using their government email address for their iPhone subscriptions?

Sample of data stolen from AT&T website

The flaw in detail
The mistake in the AT&T website software was subtle, but the results were very damaging. At the core of problem lies in a script on the AT&T website: https://dcp2.att.com/OEPClient/openPage
This script takes one parameter called “ICCID” and another, which apparently is ignored called “IMEI”. If a valid ICCID is passed, the script will respond (continue reading...)