updated 01:41 pm EDT, Mon September 10, 2012
Points to 98 percent match with stolen data
An app-based publishing company, BlueToad, was the real source of the one million UDIDs leaked to the Internet last week, NBC reports. The company's CEO, Paul DeHart, says that technicians downloaded the list and compared it to an internal database, and found that the two matched up 98 percent. "Thatís 100 percent confidence level, itís our data," he states. "As soon as we found out we were involved and victimized, we approached the appropriate law enforcement officials, and we began to take steps to come forward, clear the record and take responsibility for this."
DeHart comments that BlueToad decided to check when an outside researcher, David Schuetz, approached the company and suggested the link, pointing to multiple references to the firm in the data. During the investigation, the company's analysis suggested that the list was stolen "in the past two weeks." That could conflict with AntiSec's claim that the UDIDs were pulled from an FBI agent's notebook in March. Both Apple and the FBI have denied AntiSec's version of events, although Schuetz says he can't confirm the lack of an FBI connection.
An Apple spokeswoman, Trudy Muller, has already issued a new statement. "As an app developer, BlueToad would have access to a user's device information such as UDID, device name and type," she says. "Developers do not have access to users' account information, passwords or credit card information, unless a user specifically elects to provide that information to the developer."
DeHart says that BlueToad won't be contacting individuals to let them know their data was leaked; instead, the choice to share is being left up to the content publishers that represent BlueToad's client base. In the meantime people can check to see if their UDIDs were exposed through various third-party tools, such as Dazzlepod's.
The CEO suggests that there isn't much threat to the leak, and simply recommends that people upgrade any apps they have, since BlueToad has stopped using UDIDs and newer versions of its apps don't collect the data. Apple itself is phasing out UDIDs; a replacement will take effect with iOS 6, and eventually developers will be banned from using the old system. Security researcher Aldo Cortesi contests DeHart's position, pointing out that UDIDs can potentially be used to gain access to online accounts and contact lists, and with some work, to discover a person's real identity.