We present a black-box attack that is able to fully recover the secret values shared between entities involved in an authentication protocol. First, we explain how this black-box technique can be successfully applied against the class of protocols commonly known as ultralightweight protocols. Then, the effectiveness of this attack is shown by successfully cryptanalyzing the David-Prasad ultralightweight protocol [1], which is one of the most recent proposals in this research area. We show how we can recover the secret static identifier ID – the most valuable information which the protocol is designed to conceal – after eavesdropping only one protocol session. Our attack compares favorably to previous attacks against this protocol, and constitutes an interesting alternative for the very realistic scenario of attackers having access only to messages exchanged during a single authentication session. We also show how this disclosure attack can be used to mount a very powerful traceability attack that also improves on previous results.