Goatse Security, the outfit that cracked and exposed AT&T's iPad security, has released a statement defending its posting following AT&T's published attack on it.
Escher Auernheimer's missive states that AT&T's mailing to so much of its subscriber base "exposes a potential I have been suspicious of. They were likely not logging their httpd and had no idea how to verify the true scope of the disclosure, so they had to mail a huge number of customers."
"If not for our firm talking about the exploit to third parties who subsequently notified them, they would have never fixed it and it would likely be exploited by the RBN or the Chinese, or some other criminal organization or government (if it wasn’t already)," he writes.
He claims that AT&T's disclosure of the vulnerability was late, leaving the window open for hackers to exploit it. "Even in this disclosure, which I feel they would not have made if we hadn’t publicized this vulnerability, AT&T is being dishonest about the potential for harm," he writes.
Auernheimer also claims that he released "a semantic integer overflow exploit" for Safari through Goatse Security in March. This was patched on Apple’s desktop version of the browser but has yet to be patched on the iPad, he claims
"This bug we crafted allows the viewer of a web page to become a proxy (behind corporate and government firewalls!) for spamming, exploit payloads, password brute force attacks and other undesirables. The kicker is that this attack cannot be detected by any current IDS/IPS system."
He adds: "We released this in March, mind you, and Apple still hasn’t got around to patching this on the iPad!"
Auernheimer concludes: "The iPad simply is not a safe platform for those that require a secure environment."