UDID causes security compromise? Tapulous products’ users in danger!
Jul/095
Revenge, indeed.
Thanks to the guys at iPod touch Fans and their post here!
People out there who have a Tapulous account, beware. If you don’t know what a Tapulous account is, basically it’s the profile generated from the UDID (unique device identifier) of your iPhone/iPod touch. Tapulous’ authorization system is COMPLETELY dependent on your UDID, as practically speaking, you’re the only one with the number. It’s called UNIQUE for a reason, right?
Apparently that can be abused, with the UDID Changer app from Cydia. What’s detrimental is that your Facebook and Twitter information is stored on Tapulous’ servers as well. Of course it’s encoded, but when a malicious user changes their UDID to yours, Facebook and Twitter account data is immediately stored into their iPod touches/iPhones.
So what does this mean? It means that people can now access your Twitter and Facebook accounts, as well as anything else they store in their servers. Applications produced by Tapulous are: Tap Tap Revenge (and all its variants), Twinkle, Fortune, Collage and FriendBook.
Your next question that comes into mind must be: “But how the *insert profanity here* can they get my UDID?” There are PLENTY of ways noted by iPod touch Fans, including, but not limited to:
- The malicious user may just ask you, and you may give it to them.
- The malicious user may give you screenshots for a fantastic application they are making and offer you a beta. Of course, they need your UDID for you to beta test.
- The malicious user may be someone you know that actually has access to your device.
- Installer applications, such as Installer and Cydia send requests to the server with the UDID in the request. The maicious user may set up a repo to collect UDIDs.
- Etc. There are so many ways, it’s ridiculous.
Tapulous is aware of the exploit and are working on a fix to it, but meanwhile, unless you want someone posting the unthinkable on whatever accounts compromised, delete your Tapulous account. Change your Facebook and Twitter password as well, if you’re the “better safe than sorry” type of person.