.Mac Webmail Security Hole Allows Arbitrary Access

TexTex writes "Apple's release of .Mac brings their webmail system to the front as one way for .Mac users to access their email (previously webmail was in beta under iTools). However, it seems the URLs that Apple's scripting uses point directly to individual messages rather than requiring you to log in first. So I'm able to type any message's unique URL from any computer and read the contents, regardless if I'm a user of .Mac or not, and without logging in. MacFixIt has a full report of one reader's findings." While the URLs may not be easy to guess, they will show up in referer logs if a webmail user clicks a link in an email to go to another web site.

Been there, done that

[torinth]

I vaguely remember something like this happening with Hotmail about 2 years ago. Somebody even figured out how to generate the URL's given a username, so you could go and read anybody's hotmail if you wanted to. The hole was probably a little different than this, but it's along the same lines.

-Andrew

NOT a security hole.

[Saithier]

A little research is usually good, and a basic understanding of how WebObjects works usually helps. When you login to a webobjects app (webmail in this case) you get a unique session id that becomes part of the url and is passed to the app with every transaction. This is how it identifies the user. This session id is only used once. If the user logs out, and logs in again, they get a new session id. What is happening in this case is that whomever discovered this "security hole" copied the url to the email, did not logout of webmail, quit the browser (or opened a different one) and pasted the url in there, voila, the email shows up. However, if (s)he clicked the logout button before attempting to open the url it would not have worked. Try it yourself to verify if you don't believe me.

Cheers