Last Updated on May 24, 2015
Update 4 Sep 23:38 GMT+2: The FBI issued a tweet denying that it ever had the 12 million Apple IDs in question:
[tweet https://twitter.com/FBIPressOffice/status/243089221529763840 align=’center’]
Here the complete Statement from the FBI Press Office.
Original Post: Few hours ago, the @AnonymousIRC Twitter account has announced yet another resounding cyber attack carried on in name of the #Antisec movement:
[tweet https://twitter.com/AnonymousIRC/status/242822072026398720 align=’center’]
In a special edition of their #FFF refrain (literally quoting the authors of the attack: “so special that’s even not on friday”), the Hacktivists claim to have obtained from FBI 12,000,000 Apple Devices UDIDs (UDID is the short form for Unique Device Identifier, the unique string of numbers that univocally identifies each iOS device), and have consequently published 1,000,001 of them in pastebin post.
In the same post they explain how they were able to obtain them:
During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of “NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.
Did you notice the misplaced detail? Actually I could not help but notice that the UDIDs were obtained exploiting a Java vulnerability, the AtomicReferenceArray vulnerability (CVE-2012-0507). A detail is not so important in other circumstances, if it had not disclosed only few days after the controversies following the discovery of a potentially devastating 0-day for Java, and the subsequent issues deriving from the release of a vulnerable patch.
There could be no worse moment for this event to happen, and I am afraid it will contribute to add fuel to the raising concerns regarding Java security… Hard days for Java… And for the FBI