OpenFeint, the mobile social gaming network Japan’s GREE acquired for $104 million earlier this year, was sued for a security breach that could have tied user’s mobile device ID’s to personally identifiable information like their Facebook or Twitter accounts and location.
The plaintiffs, which are seeking $5 million in damages, say OpenFeint monitored and stored unique device ID’s along with users’ browsing history, location and social networking profiles. The suit also argues that OpenFeint’s business plan also included the possibility of sharing that information with third-party providers like other developers and ad networks.
Every iPhone, iPod and iPad has a unique ID number, often called a UDID. Developers can access this when users open their apps and it’s not uncommon for them to send this number back to their own servers or to third-party ad networks — a practice that has been very publicly criticized by The Wall Street Journal and has triggered a number of lawsuits seeking class action status.
Many of the big service providers in the industry actually need to store this information to work. OpenFeint would need Facebook IDs and UDIDs to function so it can keep track of what games users play and enable them to share their activity out to their broader social networks. The problem is when these services inadvertently make it possible for others to aggregate this information without user consent. Pretty much all of the biggest companies in the industry encrypt this data as a precaution.
OpenFeint hadn’t been encrypting some of that information up until last month when a New Zealand-based security specialist reported that he was able to de-anonymize device ID numbers of OpenFeint users and connect them to their real names on Facebook. The researcher, named Aldo Cortesi, who worked at a security consultancy called nullcube, made calls to OpenFeint’s API here, replacing “XXX” with his own device ID number:
With his UDID and OpenFeint’s API, Cortesi was able to pull up data including the last game he played, his location, his account name and Facebook profile picture URL. OpenFeint moved to fix the security hole and now the API only shows the last game played, the score and whether or not the player is online.
Japan’s GREE bought OpenFeint earlier this year as a way of bringing its business model, which combines operating a gaming platform and publishing titles, to markets outside of its home country. Both it and its rival DeNA are trying to find growth opportunities outside of Japan via acquisitions of U.S. mobile social gaming networks.