First, AntiSec leaked a ton of iPhone and iPad UDIDs to the public, claiming they hacked them off an FBI laptop. The FBI responded and said there was no way the UDIDs came from them. Then Apple jumped in and said that they totally didn’t give anyone 12million UDIDs. But 12million UDIDs were still leaked and people are still wondering how the heck AntiSec got them.
A few theories have been bouncing around the web this morning, but the most plausible theory of how AntiSec got all the UDIDs is that a network of free apps were keeping track of UDIDs and AntiSec hacked them off the publisher’s laptop.
In a blog post this morning, Instapaper creator, Marco Arment, relayed an email from a Bojan Gajic whose UDID was among those in the FBI leak. Gajic explains that his UDID was leaked with a push notification token associated with Gitter Draw Free.
The publisher apparently uses their own back end for APNS. The app posts UDID, push token and few other basic details to apns.spankapps.com on launch. Glitter Draw alone cannot have 12 million users, but its publisher has another 76 novelty apps, and there could easily be 12 million users between all those apps.
I’m guessing the database at spankapps.com was compromised and the dump came from there.
With all the information we have about the leak, it looks like AntiSec’s hacking spree was a lot less glamorous than their original claim, and they probably just got the file off somebody’s laptop, rather than an FBI file off an FBI-issued laptop.