Skip to content

Don’t enter your iOS UUID into a WebForm

This morning’s news reveals a story about how an FBI Agent’s Laptop was hacked into using a malicious java script exploit, and that a file of millions of iOS device users personal data was stolen from the hacked FBI laptop. Interestingly, perhaps even predictably, and irrationally; several websites have sprung up offering to compare the leaked list to your own UUID (which you are expected to enter into a webform) to let you know if your own information was part of the leaked set. I agree that it would be useful to know if your privacy is compromised, but publishing your private data to a website purporting to check for you is NOT the way to do this.

In fact, you are giving the private data away again; so please don’t do it.

We should instead be asking:
1) why was the laptop allowed to run javascript on an OS that is difficult to secure?
2) why was the FBI collecting this sort of data in the first place?
3) why was this sensitive data allowed to be on a laptop and not in a server that is harder to get to and can be audited?

If we feel we must check, it is better to download a leaked copy of the data yourself and then compare in the privacy of your own computer – of course that means you will have a copy of many other people’s private data too – and does that make you a criminal as well? I am not a lawyer – but the risks seem pretty high only to find out if your own data is in the leaked set.

The news I am talking about:
AntiSec hackers leak 1,000,001 Apple device IDs allegedly obtained from FBI breach

Hackers leak 1 million Apple device IDs

Update: Well, FBI is denying the allegations that their laptop was involved and that the data came from them; guess one needs to always verify the sources of the information. The basic advise not to submit your data to a webform still applies though.

Update 2: Wow! Turns out it was not initially the FBI at all, but an app developer that was the source of the leaked UUIDs – and this inquisitive person figured it out: Tracking Down the UDID Breach Source

{ 2 } Comments