.Mac Webmail Security Hole Allows Arbitrary Access

TexTex writes "Apple's release of .Mac brings their webmail system to the front as one way for .Mac users to access their email (previously webmail was in beta under iTools). However, it seems the URLs that Apple's scripting uses point directly to individual messages rather than requiring you to log in first. So I'm able to type any message's unique URL from any computer and read the contents, regardless if I'm a user of .Mac or not, and without logging in. MacFixIt has a full report of one reader's findings." While the URLs may not be easy to guess, they will show up in referer logs if a webmail user clicks a link in an email to go to another web site.

Re:Been there, done that

[sg3000]

I vaguely remember something like this happening with Hotmail about 2 years ago. Somebody even figured out how to generate the URL's given a username, so you could go and read anybody's hotmail if you wanted to. The hole was probably a little different than this, but it's along the same lines.

No, this is a completely different situation. For one, Hotmail is free, but .Mac users pay for the privilege of this security hole.

Re:quite a hole

[sg3000]

> I've not tested this yet on other random numbers but
> that constitutes quite a hole. I'd imagine Apple will be
> quick to fix it though...they're getting enough media
> flak for charging for the service now.

Acutally, with Apple's current track record, they'll make a fix, but to get it, you have to pay an extra $29/year to upgrade to a "premium" account. Luckily, they'll bundle a rock that keeps tigers away (a $59 value), so it will still be a good deal!

Hmmmm.

[usr122122121]

Let me get this straight, Apple doesn't know how to use WebObjects correctly?

Someone call Alanis Morissette, this is the real thing.

I tested the hole and hacked some guy's account

[BlackBolt]

From - Tue Jul 23 13:10:54 2002
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10800000
Message-ID: 3D3C8A0B.3160711 @ mac.com
Date: Tue, 23 Jul 2002 13:10:34 -0400
From: SexySteve33 stevejobs@mac.com
User-Agent: Mozilla/5.0 (MacOS6; U; en-US; rv:1.0.0) Gecko/20020530
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: "Michael Dell" bigcheez@dell.com
Subject: Please UNSUBSCRIBE ME from your Mailing List
Content-Type: multipart/mixed;
boundary="------------080203142303090106000203"

This is a multi-part message in MIME format.
--------------080203142303090106000203
C ontent-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Mister Dell,

FOR THE THOUSANDTH TIME, "DUDE, I *AM NOT* GETTING A DELL"!! IF I SEE THAT STEVEN IDIOT ONE MORE TIME SMILING STUPIDLY AT ME FROM MY INBOX I'M GONNA SNAP! SPAM ME ONE MORE TIME AND I WILL COME DOWN THERE AND RAM YOUR GODDAMN "DULL LATIDUDE CRAPTOP" UP YOUR FAT WINTEL ASS!!

NOW REMOVE ME FROM YOUR EMAIL LIST!!!!!!!!!!!!!!!!!!!!!!1

I MEAN IT - YOU SEND ME ONE MORE DELL SPAM AND I'M SENDING YOU THE ENTIRE COLLECTION OF SWITCH ADS IN HIGH-QUALITY QUICKTIME FORMAT.

Sincerely,
Steve

"Michael Dell" bigcheez@dell.com wrote:

> How Would YOU feel behind the wheel of a brand new grey plastic laptop?
> Dell has a special one-time only deal on our fiery hot new P4 laptops,
> guaranteed to run twice as hot as the old ones!
>
> We see by your customer profile that you have never had the pleasure of owning
> a Dell. We would like you to switch! Now is the time for us as a wonderful vendor
> and you as a potential victim to get together and make sweet financial love.

[snipped in disgust]

BlackBolt