Apple ID Leaks Traced to Application Developer

A recent criminal attack on the network of app developer BlueToad likely led to the leak of a million device identifiers for iPhones and iPads, the company said in a statement Sept. 10.

The breach happened nearly a week ago, likely a day or two before a group linking itself to the Anonymous movement claimed responsibility for the hack, stated Paul DeHart, CEO and president of BlueToad. The stolen data “primarily consisted” of the unique device identifiers (UDIDs) and the names of the Apple devices associated with those domains, he said.

“When we discovered that we were the likely source of the information in question, we immediately reached out to law enforcement to inform them and to cooperate with their ongoing criminal investigation,” DeHart said. “We have fixed the vulnerability and are working around the clock to ensure that a security breach doesn’t happen again.”

An independent researcher linked the company to the list of 1 million device IDs and names last week and the company found a 98 percent match between the lists, according to NBC News, which first reported the connection Sept. 10.

BlueToad’s statements contradict many of the claims by the hacker or group of hackers that leaked the data. In a statement published on Pastebin, the hackers had claimed they had stolen the data from the laptop of an FBI agent in March and that the data came from a larger list of 12 million devices that included key information about users, including name, address and mobile numbers.

“Not all devices have the same amount of personal data linked,” the post stated. “Some devices contained lot (sic) of info. Others no more than zipcodes or almost anything.”

The incident shows a major issue with having little information about breaches except for attackers’ claims-it becomes easy for the attackers to mislead, said Jim Fenton, chief security scientist for identity provider OneID.

“This highlights the unreliability of depending on the attacker to tell us about the attack,” he said. “They say they have 12 million IDs, but they may have less, or they may even have more.”

A researcher first notified BlueToad that their servers were likely the source of the leaked UDID data after discovering names in the file published last week that had some relationship to the company, such as “BlueToad Support,” stated the NBC News report.

By themselves, UDIDs do not pose a threat. However, many app developers use them to correlate the activities of users or identify users across applications. In some poor implementations, the UDID can be used to log into other services or gather data on a user, said Aldo Cortesi, principal at security consultancy Nullcube. In 2011, Cortesi investigated social gaming networks and found mistakes of varying severity.

“I … showed that it was possible to completely take over a user’s social gaming accounts, and access chat, in-game messaging and other highly personal information,” he said in an e-mail interview. “In the worst cases, I showed that it was possible to take over a user’s Twitter and Facebook accounts-if they had them linked to the social network-using JUST the UDID.”

Apple has already deprecated the UDID as a method of identifying the user, and most application developers are moving away from the technique. For that reason, BlueToad claimed the risk to users is small. The company will leave notification up to the publishers who use its service to publish digital magazines.

“BlueToad believes the risk that the stolen data can be used to harm app users is very low,” DeHart said in the company’s statement. “But that certainly doesn’t lessen our resolve to ensure that all data is protected and kept from those who seek to illegally obtain it.”