AntiSec Probably Stole 12 Million UDIDs From An App Publisher, Not The FBI

AntiSec Probably Stole 12 Million UDIDs From An App Publisher, Not The FBI

First, AntiSec leaked a ton of iPhone and iPad UDIDs to the public, claiming they hacked them off an FBI laptop. The FBI responded and said there was no way the UDIDs came from them. Then Apple jumped in and said that they totally didn’t give anyone 12million UDIDs. But 12million UDIDs were still leaked and people are still wondering how the heck AntiSec got them.

A few theories have been bouncing around the web this morning, but the most plausible theory of how AntiSec got all the UDIDs is that a network of free apps were keeping track of UDIDs and AntiSec hacked them off the publisher’s laptop.

In a blog post this morning, Instapaper creator, Marco Arment, relayed an email from a Bojan Gajic whose UDID was among those in the FBI leak. Gajic explains that his UDID was leaked with a push notification token associated with Gitter Draw Free.

The publisher apparently uses their own back end for APNS. The app posts UDID, push token and few other basic details to apns.spankapps.com on launch. Glitter Draw alone cannot have 12 million users, but its publisher has another 76 novelty apps, and there could easily be 12 million users between all those apps.

I’m guessing the database at spankapps.com was compromised and the dump came from there.

With all the information we have about the leak, it looks like AntiSec’s hacking spree was a lot less glamorous than their original claim, and they probably just got the file off somebody’s laptop, rather than an FBI file off an FBI-issued laptop.

Related
  • dr3van

    First of all my UDID was on the leak list so I am concerned on how they where obtained. I looked for a list of apps published by Indigo Penguin Limited, the authors of glow draw, and I have never downloaded any of the apps from this publisher…

  • robert_walter

    Assuming Marco is correct, (and I believe he is, just due to plausibility alone,) I don’t get why antisec would make up a fairy tale that eventually will, and probably pretty transparently, be uncovered.

    Seems rather dumb, doesn’t build credibility, and doesn’t really seem to serve any social benefit (except to expose that a former policy (dont collect) and a soon to be discarded practice (udid use) at apple was not very good.)

  • technochick

    For all we know, the developer is, or is part of AntiSec and no ‘stealing’ was needed.

    and they could be lying about how much info they have. they haven’t proven they have 12 million UDIDs with personal info. they haven’t even proven they have 1 million so far.

  • technochick

    Assuming Marco is correct, (and I believe he is, just due to plausibility alone,) I don’t get why a tisec would make up a fairy tale that eventually will, and probably pretty transparently, be uncovered.

    Non techie types will hear the story, freak out and go to the websites and put in their UDID to check it. thus giving the number to AntiSec who are probably behind all the sites. Not to mention stir up a storm of indignation etc. Because unlike us, they don’t have the knowledge to really stop and think about what’s going on etc

  • technochick

    First of all my UDID was on the leak list so I am concerned on how they where obtained. I looked for a list of apps published by Indigo Penguin Limited, the authors of glow draw, and I have never downloaded any of the apps from this publisher…

    they might be using more than one developer name so that folks don’t make the connection.

  • hanhothi

    I think I trust AntiSec far more than the FBI!

About the author

Buster HeinBuster Hein is Cult of Mac's Social Media Editor. Hailing from Roswell, New Mexico, but now spending his days in Phoenix, Arizona, he wastes most of his time eating burritos and reading Spanish romance novels. Twitter: @bst3r.

(sorry, you need Javascript to see this e-mail address)| Read more posts by .

Posted in News | Tagged: , , , , , |