Security Specialist Says He Was Able to De-Anonymize Device IDs of OpenFeint Users

A New Zealand-based security specialist says he was able to de-anonymize device ID numbers of OpenFeint users and connect them to their real names on Facebook. OpenFeint is a mobile-social gaming network that says it serves 75 million users and is used in 5,000 apps. It was recently acquired by Japan’s GREE for $104 million.

Aldo Cortesi, who works at a security consultancy called nullcube, made calls to OpenFeint’s API here, replacing “XXX” with his own device ID number:

Every iPhone, iPod and iPad has a unique ID number, often called a UDID. Developers can access this when users open their apps and it’s not uncommon for them to send this number back to their own servers or to third-party ad networks — a practice that has been very publicly criticized by The Wall Street Journal and has triggered a number of lawsuits seeking class action status.

With his UDID and OpenFeint’s API, Cortesi was able to pull up data including the last game he played, his location, his account name and Facebook profile picture URL.

Contained in the Facebook profile picture URL is the user’s ID number for the social network, which would then allow someone to capture their name and other publicly shared information like their friend list and “likes” or connections. According to AppData, OpenFeint has 163,405 monthly active users on the Facebook platform, which is likely a fraction of the total number of users who have ever connected the mobile-social gaming network to Facebook.

Just to stress this, OpenFeint has made a number of fixes including the hole connecting UDIDs to a user’s location. However, some personal information is still accessible.

I used the tool this morning to pull up my OpenFeint ID and see the last game I played on the network. However, it looks like OpenFeint may have purposefully broken its Facebook Connect integration, since I can’t log into the social network on their app. OpenFeint has not replied to requests for comment yet from us.

Cortesi says he alerted the company to the problem last month and that the company’s chief executive Jason Citron reached out to him, thanked him for pointing out the vulnerability and said that the company had tightened its API in response. Citron wrote him last week saying, “We will continue to pay attention to the issues you raised and will continue to adjust our practices as necessary.”