Slashdot Mirror
.Mac Webmail Security Hole Allows Arbitrary Access
TexTex writes "Apple's release of .Mac brings their webmail system to the front as one way for .Mac users to access their email (previously webmail was in beta under iTools). However, it seems the URLs that Apple's scripting uses point directly to individual messages rather than requiring you to log in first. So I'm able to type any message's unique URL from any computer and read the contents, regardless if I'm a user of .Mac or not, and without logging in. MacFixIt has a full report of one reader's findings." While the URLs may not be easy to guess, they will show up in referer logs if a webmail user clicks a link in an email to go to another web site.
They did pretty well on the Software Update security flaw - how long do you think they will take to fix this, given that it is a *ahem* Premium Service?
I vaguely remember something like this happening with Hotmail about 2 years ago. Somebody even figured out how to generate the URL's given a username, so you could go and read anybody's hotmail if you wanted to. The hole was probably a little different than this, but it's along the same lines.
-Andrew
Guess what, Apple? This would have been unacceptable in any case, but now that you're charging $100/yr for this service, customers (no longer just "users") or going to start being more demanding about service, reliability, and security. It's the flip side of the coin, almost literally.
"Science is a tribute to what we can know although we are fallible" -Jacob Bronowski
I've not tested this yet on other random numbers but that constitutes quite a hole. I'd imagine Apple will be quick to fix it though...they're getting enough media flak for charging for the service now.
Is there a good reason to have referer-headers these days? As far as I can tell they are only abused for locking people out and discovering information that should not be discovered. Yes, the .mac implementation is asking for trouble with or without referer headers, but still...
As other's have pointed out Apple will take some flak because of this because of the move to a subscription of $100/year for the .Mac stuff. Apple has been good about responding to security problems generally but they will also have to realise that the renewed popularity of the Mac and OSX is going to atract some "insects" to the light, so to speak. This is the same hole as Hotmail had about a year ago and Apple would be advised to wake up and be more careful in future.
At MacFixit, the also point out that Apple's German version of the webmail service is so badly translated (archiv does not mean trash in English, Apple) and I find it Ironic that the info and post is on MacFixit, a site whose excellent service to the Mac community got it blacklisted by Apple at the last BS MacWorld NY.
Once again Apple: wake the fuck up.
As I understand it, the problem is that they've got WebObjects storing session information in the URL instead of using cookies. Should be an easy fix, but then again, I know jack sh*t about WebObjects.
If you don't have anything nice to say, shut up you stupid prick.
Someone call Alanis Morissette, this is the real thing.
-braxton
iTools is dead. It's been reborn as .Mac for $100 per year. Take it if you want it, otherwise go get a Yahoo or Hotmail account.
You thought YOU had free email for YOUR life Ha... Oldest sales trick in the book... or one of anyway.
A little research is usually good, and a basic understanding of how WebObjects works usually helps. When you login to a webobjects app (webmail in this case) you get a unique session id that becomes part of the url and is passed to the app with every transaction. This is how it identifies the user. This session id is only used once. If the user logs out, and logs in again, they get a new session id. What is happening in this case is that whomever discovered this "security hole" copied the url to the email, did not logout of webmail, quit the browser (or opened a different one) and pasted the url in there, voila, the email shows up. However, if (s)he clicked the logout button before attempting to open the url it would not have worked. Try it yourself to verify if you don't believe me.
Cheers
Yet another excuse to Bash Apple.
,Mac-- people are cheap SOBs in general. Including me. They misexecuted this one.
.Mac by giving me software worth that much *to me*. And I didn't even include iPhoto, or the FCP and Cinema tools discounts that I get for being a Mac user.
.Mac.
.Mac, even though I'm getting a great deal at $50 and have lots of free software to balance it out, I would rather have them do this than have them eliminate the service.
This is silly. First off, the URL is only valid for 15 minutes or so.
Secondly, it is such an easy fix, I wouldn't be surprised to find out that it isn't already fixed and implemented. All they have to do is check the ip address of the machine making the request, or move to cookies for session info. Or, better yet, go to SSL.
I can understand people being pissed about having to pay for
But to have the highest moded post in this discussion being a straight out bash calling for Apple to "wake up" is absurd- and ignores the fact that they have long been delivering the best value for the money of any computer maker out there. They don't charge for iTunes,($30 worth), iMovie ($20 worth to me), Quicktime ($20 worth to me - I get pro features by writing my own player, the codecs are worth $20 to me easily.) iCal or iSync, $25 and $5 respectively. Mail.app, $25, Deve environment is worth $300, Sherlock3 is worth $30, iDVD $40 worth..... so in a sense, they've already paid for my first seven years of
If I'd had to buy that software retail it would have cost more than the values I've put down for it.
If they continue to deliver free apps,and add value to the one's already out there -- something they've shown a willingness to do, then I continue to come out ahead.
And to top it all off, if I wanted to, I didn't HAVE to pay for
The upgrade price of jaguar for current 10 users is a bit annoying, though. They add a lot and I understand why they're charging... but it should be $70 if you've already bought the box retail, as I have. (But, its easy for me to say since, as a developer, they'll send it to me anyway. Course that cost me $500, but this is just another $129 discount I'm getting, on top of the $2,000 in other discounts I've already gotten.)
Apple treats its people well. Cheapscates will always whine when you try to charge for something that was free...while they happily use iTunes and don't pay for it and give it no value.
Thats one downside to opensource-- its played into the pricing psychology discovered long ago. People will value something based on what you're asking for it. Ask $700 for a piece of software and they'll think its a great deal if they get it for $500. Ask $500 for the SAME SOFTWARE and they'll think its too expensive nad your sales are lower.
Give away software for free, or internet services for free, and nobody pays for them-- which is why nobody's got a successful subscription service on the net (except for a couple situations.)
Apple thought the added value of growing the userbase would offset the costs-- but it didn't, the costs were absurd, and so they are solving hte problem. Much as I hate to pay for
Yeah, and you guys panned the ipod too: http://apple.slashdot.org/article.pl?sid=01/10/23
From - Tue Jul 23 13:10:54 2002
C ontent-Type: text/plain; charset=us-ascii; format=flowed
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10800000
Message-ID: 3D3C8A0B.3160711 @ mac.com
Date: Tue, 23 Jul 2002 13:10:34 -0400
From: SexySteve33 stevejobs@mac.com
User-Agent: Mozilla/5.0 (MacOS6; U; en-US; rv:1.0.0) Gecko/20020530
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: "Michael Dell" bigcheez@dell.com
Subject: Please UNSUBSCRIBE ME from your Mailing List
Content-Type: multipart/mixed;
boundary="------------080203142303090106000203"
This is a multi-part message in MIME format.
--------------080203142303090106000203
Content-Transfer-Encoding: 7bit
Mister Dell,
FOR THE THOUSANDTH TIME, "DUDE, I *AM NOT* GETTING A DELL"!! IF I SEE THAT STEVEN IDIOT ONE MORE TIME SMILING STUPIDLY AT ME FROM MY INBOX I'M GONNA SNAP! SPAM ME ONE MORE TIME AND I WILL COME DOWN THERE AND RAM YOUR GODDAMN "DULL LATIDUDE CRAPTOP" UP YOUR FAT WINTEL ASS!!
NOW REMOVE ME FROM YOUR EMAIL LIST!!!!!!!!!!!!!!!!!!!!!!1
I MEAN IT - YOU SEND ME ONE MORE DELL SPAM AND I'M SENDING YOU THE ENTIRE COLLECTION OF SWITCH ADS IN HIGH-QUALITY QUICKTIME FORMAT.
Sincerely,
Steve
"Michael Dell" bigcheez@dell.com wrote:
> How Would YOU feel behind the wheel of a brand new grey plastic laptop?
> Dell has a special one-time only deal on our fiery hot new P4 laptops,
> guaranteed to run twice as hot as the old ones!
>
> We see by your customer profile that you have never had the pleasure of owning
> a Dell. We would like you to switch! Now is the time for us as a wonderful vendor
> and you as a potential victim to get together and make sweet financial love.
[snipped in disgust]
BlackBolt
I was using Webmail and was kicked out. After trying to login again I was able to get back to Webmail and this security hole is gone now...
One thing I don't get in this thread is all the talk about the referer url : did you look at webmail URL when you are reading a mail ?
webmail is not exposing the referer URL : it's using a redirection for every link like : http://webmail.mac.com/redirect
Just because you don't want to pay for it doesn't mean you have to spread ill-researched crap about it.
I'm keeping mine because I like the features. Roughly $8/mo isn't much to ask.
Macfixit are now reporting that the security hole is fixed:
Apple is not alone is embedding a session key into the URL. Users should be aware that passing one such a URL will (at least for a short while) enable others to use their login.
Here's MacFixIt's summary:
No doubt.
Is Mac webmail encrypted?
War crimes, torture, lies, illegal spying... Would someone give Bush a blowjob, already, so he can be impeached?
...instead of screwing around with .mac security holes? Hotmail has never had this type of problem!