04:37 PM
Connect Directly

FBI Not Source Of Apple UDID Leak: BlueToad Admits Leak

Digital publishing company BlueToad says data breach resulted in leak of millions of UDIDs

Digital publishing company BlueToad says it was the source of a data breach that resulted in the theft of device identification data belonging to millions of Apple users -- not the FBI.

Last week, hackers with a group known as AntiSec claimed to have gained access to an FBI computer and stolen 12 million UDIDs, or unique device identifiers. UDIDs identify a particular iOS device, such as an iPhone or iPod.

According to Paul DeHart, CEO of BlueToad, the company contacted law enforcement once it determined it was the likely source of the leaked information.

"We have fixed the vulnerability and are working around the clock to ensure that a security breach doesn't happen again," he said in a blog post.

The company was notified that it was the possible source by David Schuetz, a security consultant with the Intrepidus Group, who analyzed the roughly 1 million UDIDs that had been posted online and linked them to BlueToad. His investigation is detailed on the Intrepidus Group's blog.

AntiSec's claims that an FBI computer had been hacked were denied last week by the law enforcement agency, which stated that there was no evidence that an FBI laptop was compromised or that the agency had sought or obtained Apple UDIDs. Apple has also publicly denied giving the information to the FBI, and said the agency never requested it.

Apple began rejecting apps that access UDIDs earlier this year after warning app developers in 2011 that it would be phasing out the ability with the introduction of iOS 5. The move followed the eruption of controversy regarding the use of UDIDs by advertisers for tracking purposes.

According to DeHart, BlueToad stored UDIDs "pursuant to commercial industry development practices."

"Upon Apple's recommendation several months ago, we modified our code base to discontinue the practice of reporting UDIDs," he wrote. "We have now also discontinued storing any UDID information sent to our servers by apps that have not yet been updated to the new code base."

"We understand and respect the privacy concerns surrounding the data that was stolen from our system," DeHart added. "BlueToad believes the risk that the stolen data can be used to harm app users is very low. But that certainly doesn't lessen our resolve to ensure that all data is protected and kept from those who seek to illegally obtain it."

As of publication, the BlueToad website appears to have gone down.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-11
Cross-site scripting (XSS) vulnerability in share/pnp/application/views/kohana_error_page.php in PNP4Nagios before 0.6.22 allows remote attackers to inject arbitrary web script or HTML via a parameter that is not properly handled in an error message.

Published: 2014-07-11
Multiple cross-site scripting (XSS) vulnerabilities in PNP4Nagios through 0.6.22 allow remote attackers to inject arbitrary web script or HTML via the URI used for reaching (1) share/pnp/application/views/kohana_error_page.php or (2) share/pnp/application/views/template.php, leading to improper hand...

Published: 2014-07-10
Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter.

Published: 2014-07-10
The File Transfer feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center does not verify that a requested file was an offered file, which allows remote attackers to read arbitrary files via a modified request, aka Bug IDs CSCup62442 and CSCup58463.

Published: 2014-07-10
Heap-based buffer overflow in the file-sharing feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center allows remote attackers to execute arbitrary code via crafted data, aka Bug IDs CSCup62463 and CSCup58467.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.