Cancel your tapulous accounts now.

Discussion in 'iTunes App Store Games & Apps' started by SkylarEC, Jul 10, 2009.

Page 1 of 8

  1. SkylarEC Super Moderator Emeritus

    Member Since:
    Sep 19, 2007
    Message Count:
    6,640
    There is an utility called UDID changer, which is useless, but whatever. UDID can be used to change the UDID on someone's phones to your UDID.

    Tapulous' complete authorization system is based on UDID. This means that if someone has your UDID and UDID changer, then they have access to your tapulous account. Tapulous stores your passwords on their server, and the only way to get to it is with the correct UDID, your UDID.

    A malicious user changes their UDID to your UDID, accesses your Twinkle account and now have access to your Twitter and Facebook, and whatever else they store.


    For the sake of safety, cancel your Tapulous accounts as soon as possible, or change your twitter and facebook passwords until this vulnerability is fixed.


    All it takes for someone to get your UDID is for you to give it to them, whether or not you know you are. Well, how is this possible?
    • The malicious user may just ask you, and you may give it to them.
    • The malicious user may give you screenshots for a fantastic application they are making and offer you a beta. Of course, they need your UDID for you to beta test.
    • The malicious user may be someone you know that actually has access to your device.
    • Installer applications, such as Installer and Cydia send requests to the server with the UDID in the request. The maicious user may set up a repo to collect UDIDs.
    • Etc. There are so many ways, it's ridiculous.

    Basically, you are not safe if you have a iPhone or iPod touch and a Tapulous account, you are at risk.


    UPDATE Tapulous are aware of the exploit, and are now working on a fix.
    SkylarEC, Jul 10, 2009
    #1

  2. HxC1337 Banned

    Member Since:
    Jul 9, 2009
    Message Count:
    12
    Device:
    2G iPod touch
    *goes to cancel account*
    Woah thats not ok. Thanks for the heads up.
    HxC1337, Jul 10, 2009
    #2

  3. mitchell209 Active Member

    Member Since:
    Jan 21, 2009
    Message Count:
    8,036
    Device:
    iPhone 4 (Black)
    Oh, that doesn't sound good.

    I don't know my Tapulous account, though. :(
    I don't even have a Facebook, so it's all good for me, though. :)

    Let's hope they can fix this soon.
    mitchell209, Jul 10, 2009
    #3

  4. BadKarma Banned

    Member Since:
    Jul 16, 2008
    Message Count:
    4,067
    Device:
    iPod touch
    Very true, but I wonder how you are going to get the "dim-witted" to heed this warning.
    BadKarma, Jul 10, 2009
    #4

  5. mitchell209 Active Member

    Member Since:
    Jan 21, 2009
    Message Count:
    8,036
    Device:
    iPhone 4 (Black)
    We're not. We'll just laugh at them for not heeding the warning.
    mitchell209, Jul 10, 2009
    #5

  6. SkylarEC Super Moderator Emeritus

    Member Since:
    Sep 19, 2007
    Message Count:
    6,640
    The dim witted failing to heed the warning are those that will make Tapulous take notice and fix their system.
    SkylarEC, Jul 10, 2009
    #6

  7. APV Well-Known Member

    Member Since:
    Jan 22, 2009
    Message Count:
    3,041
    What?

    I would think they should get right on to fixing that like now!

    Twinkle is the only twitter app I like to use though... :( darn.
    APV, Jul 10, 2009
    #7

  8. SkylarEC Super Moderator Emeritus

    Member Since:
    Sep 19, 2007
    Message Count:
    6,640
    They won't fix it if they don't know about it. Spread the word.
    SkylarEC, Jul 10, 2009
    #8

  9. APV Well-Known Member

    Member Since:
    Jan 22, 2009
    Message Count:
    3,041
    I shall tell them through their twitter and twinkle accounts!
    APV, Jul 10, 2009
    #9

  10. negro101 New Member

    Member Since:
    Feb 22, 2009
    Message Count:
    27
    alright. How do u cancel it?
    negro101, Jul 10, 2009
    #10
Page 1 of 8