[wamatt]

After reading this, I'm still a bit confused as to why this is a catastrophe?

Should we change our paypal passwords? Or worry about getting more spam? etc Why should an end user (eg my mom) care?

I'm not saying there aren't serious repercussions, just having a hard time seeing exactly what they are.

[cortesi]

Have a quick read through the posts linked in the article this story points to. I show that using just a UDID, you could access the user's geolocation, games they played, private messages and friends lists on many of the affected social networks, and in some cases (which affected millions of users) completely take over Twitter and Facebook accounts. This is with _just_ a UDID. Some of the companies I notified a year ago are still vulnerable today. And remember, I only looked at social gaming networks - small slice of the app ecosystem. I know that there are similar systemic issues in many other places. So yes, this is definitely a catastrophe.

Unfortunately, there's just not much an ordinary user can do. There's no way for a user to tell if an app accesses and broadcasts their UDID (if you're an expert you can use mitmproxy or a similar tool), and certainly no way to tell if the UDID is being used safely. I would recommend de-linking your social media accounts from all apps unless you know they're safe, but that's the kind of drastic advice that people tend not to take.

[wamatt]

Thanks for that. Not super worried about people knowing my location or games I played :p

However, this is of interest:

>and in some cases (which affected millions of users) completely take over Twitter and Facebook accounts

How is that possible? Are we going to see mass defacements/malware links or other bad stuff on Twitter and Facebook as a result?

Also what is meant by 'take over'? Surely it doesn't mean from a UDID alone, a hacker could log into that associated account with full permissions?

I'm assuming any scripted attack would only have the permissions that any other FB/Twitter app has, and could be blocked in App settings if it started doing 'bad stuff'?

[cortesi]

I found vulnerabilities in two social gaming networks that let you take control of people's Facebook and Twitter accounts using _just_ the UDID. I never published the details of these vulnerabilities, but you can find an official acknowledgement from at least one of these companies (Chillingo of Angry Birds fame) in this WSJ piece:

http://blogs.wsj.com/digits/2011/09/19/privacy-risk-found-on...

[samfoo]

By "Take control of..." you mean "act with the permissions of the app", I assume? I can't see how Angry Birds the app would ever have full control over my Facebook account unless there's a catastrophic vuln. in the Facebook API.

[TylerE]

Angry Birds was made by Rovio, not Chillingo.

Chillingo is a publisher of 3rd rate knockoffs.

[cortesi]

Chillingo is the publisher of the original Angry Birds, and it's their social network (which is integrated with Angry Birds and therefore on millions of devices) that had the vulnerability.

[api]

I think this proves that Apple's UDIDs are a horrible, insecure system. That is a privacy catastrophe.

[zmb_]

Not really. The UDID itself is not a "horrible, insecure system", it's just a unique identifier. It's the app developers who came up with the horrible, insecure systems due to how they used the UDID.

The problem is that the developers do not understand how to engineer secure systems. Take away the UDID and their systems will still be broken, just in a different way.

[mistercow]

That said, it does pose an interesting question as to what Apple could have done to prevent this eventuality. One possibility would have been not to expose a global device ID to developers, but instead to generate a per-app (or maybe per-developer-key) ID. That would have made such a leak extremely difficult, and would have isolated the damage to whatever vulnerabilities were present in a single app.

You're right that these developers would have made something broken regardless of whether this problem existed, but Apple should try not to give them enough rope to hang themselves. What's fascinating is that "globally visible unique identifier" turns out to be just enough rope.