"There are a number of far more serious problems still unfixed in the gaming social networks I discussed, but I would like to avoid describing those directly," Cortesi said Tuesday via email. "I [also] know of similar vulnerabilities in a number of non-gaming applications."
One of the problems is that user information linked to UDIDs has been aggregated in thousands of databases that now exist all over the Web, Cortesi said. "It takes only a single leak or security incident for data like this to be exposed."
"It's common, for instance, for app developers to use a UDID as a pseudo-identifier for users, and then to use that for tracking and analytics," Cortesi said. "The result would be a database of UDIDs with some associated behavioral information."
The use of UDIDs has been deprecated since iOS 5.0 and Apple has started rejecting App Store submissions for apps that access UDIDs since March.
The UDID was a bad idea from the beginning and Apple should have realized its privacy implications, Cortesi said. "I believe that they're doing what they can to move the application ecosystem away from using UDIDs as quickly as possible. They've just not quite been quick enough."
Apple did not return a request for comment regarding the leak of 1 million UDIDs.
(Jeremy Kirk in Sydney contributed to this report.)