UDID causes security compromise? Tapulous products’ users in danger!
Jul/095
Revenge, indeed.
Thanks to the guys at iPod touch Fans and their post here!
People out there who have a Tapulous account, beware. If you don’t know what a Tapulous account is, basically it’s the profile generated from the UDID (unique device identifier) of your iPhone/iPod touch. Tapulous’ authorization system is COMPLETELY dependent on your UDID, as practically speaking, you’re the only one with the number. It’s called UNIQUE for a reason, right?
Apparently that can be abused, with the UDID Changer app from Cydia. What’s detrimental is that your Facebook and Twitter information is stored on Tapulous’ servers as well. Of course it’s encoded, but when a malicious user changes their UDID to yours, Facebook and Twitter account data is immediately stored into their iPod touches/iPhones.
So what does this mean? It means that people can now access your Twitter and Facebook accounts, as well as anything else they store in their servers. Applications produced by Tapulous are: Tap Tap Revenge (and all its variants), Twinkle, Fortune, Collage and FriendBook.
Your next question that comes into mind must be: “But how the *insert profanity here* can they get my UDID?” There are PLENTY of ways noted by iPod touch Fans, including, but not limited to:
- The malicious user may just ask you, and you may give it to them.
- The malicious user may give you screenshots for a fantastic application they are making and offer you a beta. Of course, they need your UDID for you to beta test.
- The malicious user may be someone you know that actually has access to your device.
- Installer applications, such as Installer and Cydia send requests to the server with the UDID in the request. The maicious user may set up a repo to collect UDIDs.
- Etc. There are so many ways, it’s ridiculous.
Tapulous is aware of the exploit and are working on a fix to it, but meanwhile, unless you want someone posting the unthinkable on whatever accounts compromised, delete your Tapulous account. Change your Facebook and Twitter password as well, if you’re the “better safe than sorry” type of person.
Leave a comment
No trackbacks yet.
4:07 PM on July 11th, 2009
This isn’t even a big deal, not to mention false. UDID authentication is used by just about EVERY app on the app store, and probably zero people have fallen victim to it.
First of all, it is very hard to get someones UDID, they’d have to give it you, or have given it to someone else, who then gave it to you. Second:
You said they can access “…anything else they store in their servers.”
That’s just flat out wrong. They could not access anything on their servers, maybe high scores but who gives a shit about that.. Check your facts before posting next time.
7:56 PM on July 12th, 2009
Calm down Jfresh, it may not be the end of the world, but it is a security flaw with apps that can store sensitive data. While it may be true that most apps use this authentication, it is particularly bothersome here because Tapulous can store info about these other services and they obviously do not provide adequate security measures to protect this information. As for it being very hard to get someone’s UDID, that is disputable as well. Anyone with a jailbroken iPhone has access to tools that could allow one to capture data from another persons iPhone (most likely via wifi). The bottom line is that, yes, it will not affect many people, but it’s a potentially major security flaw if it happened to yours or my own Facebook or Twitter account.
8:34 PM on July 12th, 2009
First of all Jfresh, I’m sorry for blowing this out of proportion as the title might be misleading. The post was meant to be a warning to Tapulous users as I’m sure some out there are concerned about their personal information and whatnot.
Have you ever restored your iPhone/iPod touch and re-downloaded Tap Tap Revenge? While the most of us just restore data from backup, I did a clean wipe and obtained a clean copy of the game, and it immediately downloaded my Tapulous account data inside. A simple Google search revealed this post as well: http://getsatisfaction.com/tapulous/topics/twinkle_remeambers_me_even_after_a_device_restore
In my personal experience, as well as some explanation from SkylarEC of the iPod touch Fans community, there are plenty of ways to get your UDID. You can read some of his replies on the forums with the link to the topic above, but there are many ways.
Those with physical contact with your iPhone can simply obtain it even in Tap Tap Revenge itself by clicking on “Advanced Settings and Help” and obtain the UDID from the URL itself. Even without the apps itself, iTunes will show you your UDID when you’ve plugged it in: just click on “Serial Number” once and it will jump to “Identifier (UDID)” and voila, the “secret” and unique 40-character identifier.
The following link would also dispel any theory that the UDID is difficult to obtain as well:
http://www.ipodtouchfans.com/forums/showpost.php?p=1702281&postcount=37
And my apologies if you misunderstood what I said, but “anything else stored in their servers” is specifically talking about anything else stored in their servers _corresponding_ to your UDID.
I hope that clarifies my post. Do reply.
8:45 PM on July 22nd, 2009
You would think people would be more appreciative of information regarding security. If you think its okay than keep using it and at least you know! Does that guy work at the company or what!!!?!!? Keep on doing what your doing!
9:25 PM on March 16th, 2010
Yes very true. I changed the UDID some apps saw and made new accounts on stuff. It’s some freaky stuff and your UDID should never be givin away.