NEWS FROM THE LAB - Wednesday, December 15, 2010

Gawker's Data Disclosure Posted by Sean @ 17:42 GMT

I've been traveling, and whenever I return to the office, there's always a lot of news to catch up on. I'm just now reading the details related to Gawker Media's recent security breach. Over one million Gawker/Gizmodo/Lifehacker related commenting accounts were compromised last weekend, and more than 500,000 e-mail addresses and 185,000 decrypted passwords are being shared on The Pirate Bay.

On Monday there was a Twitter spam outbreak promoting Acai berries. Many people use the same password on multiple sites, which they really shouldn't, and so the compromised Gawker accounts provided access to Twitter accounts…

If you use any Gawker related sites, you should update all of your related passwords.

That's all very interesting, but I'm curious about something else related to Gawker. Last June, a group called "Goatse Security" exploited a vulnerability on AT&T Web servers and harvested iPad customer e-mail addresses and network IDs.

From the Wall Street Journal: "In a blog post defending Goatse Security's actions, a member of the group said it only gave the data to Gawker and later destroyed it."

In that same Goatse blog post, I was quoted as saying: "the disclosure was completely irresponsible."

Did I think the vulnerability disclosure was irresponsible?


Did I think the exploitation of the vulnerability was irresponsible?

Well, kind of, I mean, they could have bought an iPad to exploit themselves and didn't really need to harvest other people's names to make their point… but, let's say no. Even exploiting the vulnerability wasn't "completely" irresponsible.

So what was it that I though was so completely irresponsible?

It was the turning over of an unredacted dataset to Gawker Media.


Because regardless of how much Goatse Security trusted Remy Stern and Ryan Tate of Gawker/Valleywag (and I'm sure they're very trustworthy), Goatse Security never should have trusted AT&T customer information to Gawker's security infrastructure.

After all, six months later, Gawker was hacked:

Was Your Gawker Password Hacked?
Image from Slate's Was Your Gawker Password Hacked?

And so who knows now where those iPad addresses have ended up?

Hopefully they were deleted from Gawker's servers after the FBI finished their investigation.

I e-mailed Ryan Tate last June to ask how the iPad dataset was sent, encrypted or not, but I never heard back… I'm sure Ryan was busy at the time. And I'm sure he's busy now as well, but at this point, I want to know.

How and in what format was the iPad dataset sent to Gawker, and how/when was it deleted?


Edited: Even exploiting the vulnerability wasn't "completely" irresponsible.

Typo has been corrected.

Update: Escher Auernheimer of Goatse Security offers assurances, via Twitter, that the transfer was between them and Tate only, the dataset never touched Gawker servers.