Data was transmitted by the company without any encryption. Identification numbers, device names and other information were stored in a database which was hacked, according to BlueToad. The company also admitted that it was the source of the data breach, the victim of the hacker group Antisec.
After the break in their security was determined, BlueToad says in contacted authorities immediately and claim they have fixed the vulnerability. Contrary to what the Journal reports, BlueToad claims that data (including UDIDs) was stored in accordance with industry practices. They further state that they started to not report UDIDs per a recommendation by Apple many months ago, but only just stopped storing UDIDs sent by apps that were still not updated with the new code.
Antisec released about one million UDIDs, some which were attached to full names, cell phone numbers and other information. The Wall Street Journal reports that it conducted a test last week using several devices which were on the hacker’s list and found that all of the devices had downloaded applications that transmit UDIDs to BlueToad. Further analysis revealed that everything Antisec said was attached to the unique identifiers was there, ID numbers, device information, tokens for notifications and all was sent to BlueToad.
It does not stop there unfortunately. The apps also asked users for permission to access personal data, like zip-codes, email addresses. Part of the interface allows publishers that use BlueToad’s software to request access to other data as well, such as phone numbers and address – all transmitted in “cleartext.”
BlueToad would not comment on the methods of the successful hack, but said that the time between the hack and the release of the UDIDs was less than a week.
For its part, Apple has said that iOS 6 would replace the use UDIDs and would “soon be banning” them. BlueToad has also stated that they do not any personal information in their systems, such as credit card numbers or social security numbers.
That is all well and good, but if someone with the right amount of talent knows how to exploit the UDID, as well as the SMS vulnerability in iOS, maybe this issue is not ready to be laid to rest just yet.
source: Wall Street Journal, BlueToad