In order to fulfill system security and computation limitation of low-cost RF tags at the same time, the research of the lightweight RFID authentication has promptly become one of the hottest topics in recent years. Recently, Morshed et al. proposed an authentication scheme, called SUAP3, to achieve the security and efficiency under ubiquitous RFID-based systems. Later, Safkhani et al. and Wang et al. had demonstrated that SUAP3 is insecure against full-disclosure attack and tag traceability attack. However, these attacks are based on powerful assumptions, and the feasibilities of the two attacks are thus a little doubtful. In this paper, we present a real passive tag-tracking attack without any specific assumptions. An adversary can exploit a series of challenge-response procedures to derive the secrets maintained at the tag. With the cryptanalysis proposed by us, the insecurity of SUAP3 is truly proved. In addition, we present a novel and robust ubiquitous authentication scheme for RFID based application systems.