Hackers leak 1 million Apple IDs - and now I have an unauthoried download on my iTunes acct!!

Forums › Off topic › Hackers leak 1 million Apple IDs - and now I have an unauthoried download on my iTunes acct!!

1 | 2 | 3

18684 posts

Uber Geek
+1 received by user: 7824

Lifetime subscriber

#682154 6-Sep-2012 09:43

1080p: Er, how did they gain access your Apple account exactly? That hack released the Apple iPhone UDID list. Not your password or any other personal information.

"As proof, the hackers released a stripped-down version of that file that only contained 1 million UDIDs, with associated Apple Push Notification Service tokens and device names. The other personal data that accompanied many of the UDIDs was intentionally removed, the hackers said."

I strongly believe this hack and your account compromise are completely unrelated.

keewee01: So it looks like these little w@nk5r$ used the stolen details to download a free game from iTunes and to then make an in game purchase of $24.99. Great security Apple! And even better security FBI - why were the FBI in possession of my account details in the first place!?????????

Game developer association of private personal details with UUID has been known for some time as a security problem. Bad idea from the beginning. Major game developers were unwilling to change this architecture. Some did work to mitigate the extent of the problem without changing the basic architecture. Apple began to discourage the UUID association practice a little while ago, deprecated the API, but it still can be and is widely used by game developers.

For keewee01 it is very likely the attackers first compromised the game account using the UUID {and} from there obtained enough further information to compromise the iTunes account. There are other possibilities to go forward after the {and} depending on how bad things were at the game end of things.

So, end of the story - very likely the game was compromised first and then {if at all - perhaps not necessary} iTunes account compromised as a result of information obtained from game account.

It follows from the above - resetting your iTunes password may make no difference to the attack vector.

In these circumstances it is not surprising to me Apple has disabled an account completely.

timmmay

20858 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#682156 6-Sep-2012 09:48

Reset your apple ID here.

I notice they gave you a credit, not a refund, that's not the same thing, but if you'll use it some time it's easier than arguing with them.

gzt

18684 posts

Uber Geek
+1 received by user: 7824

Lifetime subscriber

#682158 6-Sep-2012 09:51

Another thing to note here. Not being on that list does not guarantee anything. The anti-sec hack has so far released 1 million of the 12 million records they obtained. We do not know how many other people may or may not have access to the other 11 million records.

keewee01

1743 posts

Uber Geek
+1 received by user: 204

Trusted

#682186 6-Sep-2012 10:28

timmmay: Reset your apple ID here.

I notice they gave you a credit, not a refund, that's not the same thing, but if you'll use it some time it's easier than arguing with them.

Good point - have changed my Apple ID (sigh... and therefore the email address used for this account!) Have previously only changed the password..

Yes - interesting that it was a credit... Maybe it is because of the all sales are final policy?

keewee01

1743 posts

Uber Geek
+1 received by user: 204

Trusted

#682187 6-Sep-2012 10:32

gzt:
1080p: Er, how did they gain access your Apple account exactly? That hack released the Apple iPhone UDID list. Not your password or any other personal information.

"As proof, the hackers released a stripped-down version of that file that only contained 1 million UDIDs, with associated Apple Push Notification Service tokens and device names. The other personal data that accompanied many of the UDIDs was intentionally removed, the hackers said."

I strongly believe this hack and your account compromise are completely unrelated.

keewee01: So it looks like these little w@nk5r$ used the stolen details to download a free game from iTunes and to then make an in game purchase of $24.99. Great security Apple! And even better security FBI - why were the FBI in possession of my account details in the first place!?????????

Game developer association of private personal details with UUID has been known for some time as a security problem. Bad idea from the beginning. Major game developers were unwilling to change this architecture. Some did work to mitigate the extent of the problem without changing the basic architecture. Apple began to discourage the UUID association practice a little while ago, deprecated the API, but it still can be and is widely used by game developers.

For keewee01 it is very likely the attackers first compromised the game account using the UUID {and} from there obtained enough further information to compromise the iTunes account. There are other possibilities to go forward after the {and} depending on how bad things were at the game end of things.

So, end of the story - very likely the game was compromised first and then {if at all - perhaps not necessary} iTunes account compromised as a result of information obtained from game account.

It follows from the above - resetting your iTunes password may make no difference to the attack vector.

In these circumstances it is not surprising to me Apple has disabled an account completely.

Yes - I think that somehow that is part of the vector used. Interestingly I've never signed up to anything other than music via iTunes - no games, no podcasts, no third parties that I know of! (And there doesn't seem to be anyway to find that information out in your account, that I can see).

My account doesn't seem to be disabled yet as I can log into it and change details... I wonder what disabled actually means in the Apple Universe?

Have now changed my Apple ID so hopefully that is the end of it...

timmmay

20858 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#682210 6-Sep-2012 11:20

I meant change the password, not the whole ID, but that could be worthwhile if there's a security hole.

HP

Shop now for HP laptops and other devices (affiliate link).

KellyP

1250 posts

Uber Geek
+1 received by user: 115

ID Verified

Subscriber

#682347 6-Sep-2012 14:15

They have my iPad 1 on the list along with my Full Name.

Batman

Mad Scientist
30014 posts

Uber Geek
+1 received by user: 6217

Trusted

Lifetime subscriber

#682360 6-Sep-2012 14:32

Can i ask if your account is registered as in the states? Are non USA accounts affected?

KellyP

1250 posts

Uber Geek
+1 received by user: 115

ID Verified

Subscriber

#682365 6-Sep-2012 14:37

joker97: Can i ask if your account is registered as in the states? Are non USA accounts affected?

NZ Account

Edit: Sorry, you meant the OP

gzt

18684 posts

Uber Geek
+1 received by user: 7824

Lifetime subscriber

#682388 6-Sep-2012 15:06

keewee01: So it looks like these little w@nk5r$ used the stolen details to download a free game from iTunes and to then make an in game purchase of $24.99. Great security Apple!

What was the game used exactly?

keewee01

1743 posts

Uber Geek
+1 received by user: 204

Trusted

#682409 6-Sep-2012 15:48

gzt:
keewee01: So it looks like these little w@nk5r$ used the stolen details to download a free game from iTunes and to then make an in game purchase of $24.99. Great security Apple!

What was the game used exactly?

Kingdoms of Camelot: Battle for the North

They downloaded the free game and then made an in game purchase of gems to the value of the credit I had on my iTunes account.

Apple TV

Stream your favourite shows now on Apple TV (affiliate link).

KellyP

1250 posts

Uber Geek
+1 received by user: 115

ID Verified

Subscriber

#682812 7-Sep-2012 14:10

FBI might not be involved

http://www.marco.org/2012/09/06/udid-theory

regardless, it's a serious security oversight that needs to be addressed ASAP

http://corte.si/posts/security/udid-leak.html

ubergeeknz

3344 posts

Uber Geek
+1 received by user: 1041

Trusted

Vocus

#682814 7-Sep-2012 14:14

James Bond: FBI might not be involved

http://www.marco.org/2012/09/06/udid-theory

regardless, it's a serious security oversight that needs to be addressed ASAP

http://corte.si/posts/security/udid-leak.html

Both of your URLs return 404. Tinfoil hats, everyone!

KellyP

1250 posts

Uber Geek
+1 received by user: 115

ID Verified

Subscriber

#682817 7-Sep-2012 14:20

ubergeeknz:
James Bond: FBI might not be involved

http://www.marco.org/2012/09/06/udid-theory

regardless, it's a serious security oversight that needs to be addressed ASAP

http://corte.si/posts/security/udid-leak.html

Both of your URLs return 404. Tinfoil hats, everyone!

Sorry my mistake, just copy/paste the URLs now.

gzt

18684 posts

Uber Geek
+1 received by user: 7824

Lifetime subscriber

#682898 7-Sep-2012 18:13

There is no convincing evidence it was obtained from the FBI. Just Anonymous's say so.

Line 405 - http://pastebin.com/nfVT7b0Z

It is equally possible the information was obtained from a compromised game database, just as the FBI could have obtained the same information from a compromised game database. No evidence yet either way.

The request on line 424 has been fulfilled btw.

One aspect of this not mentioned so far. The UUID can be used to generate a certificate allowing custom applications to be installed on that device outside the appstore. Jailbreak not needed.

1 | 2 | 3