.Mac Webmail Security Hole Allows Arbitrary Access

TexTex writes "Apple's release of .Mac brings their webmail system to the front as one way for .Mac users to access their email (previously webmail was in beta under iTools). However, it seems the URLs that Apple's scripting uses point directly to individual messages rather than requiring you to log in first. So I'm able to type any message's unique URL from any computer and read the contents, regardless if I'm a user of .Mac or not, and without logging in. MacFixIt has a full report of one reader's findings." While the URLs may not be easy to guess, they will show up in referer logs if a webmail user clicks a link in an email to go to another web site.

Lets all Bash Apple!

[BitGeek]

Yet another excuse to Bash Apple.

This is silly. First off, the URL is only valid for 15 minutes or so.

Secondly, it is such an easy fix, I wouldn't be surprised to find out that it isn't already fixed and implemented. All they have to do is check the ip address of the machine making the request, or move to cookies for session info. Or, better yet, go to SSL.

I can understand people being pissed about having to pay for ,Mac-- people are cheap SOBs in general. Including me. They misexecuted this one.

But to have the highest moded post in this discussion being a straight out bash calling for Apple to "wake up" is absurd- and ignores the fact that they have long been delivering the best value for the money of any computer maker out there. They don't charge for iTunes,($30 worth), iMovie ($20 worth to me), Quicktime ($20 worth to me - I get pro features by writing my own player, the codecs are worth $20 to me easily.) iCal or iSync, $25 and $5 respectively. Mail.app, $25, Deve environment is worth $300, Sherlock3 is worth $30, iDVD $40 worth..... so in a sense, they've already paid for my first seven years of .Mac by giving me software worth that much *to me*. And I didn't even include iPhoto, or the FCP and Cinema tools discounts that I get for being a Mac user.

If I'd had to buy that software retail it would have cost more than the values I've put down for it.

If they continue to deliver free apps,and add value to the one's already out there -- something they've shown a willingness to do, then I continue to come out ahead.

And to top it all off, if I wanted to, I didn't HAVE to pay for .Mac.

The upgrade price of jaguar for current 10 users is a bit annoying, though. They add a lot and I understand why they're charging... but it should be $70 if you've already bought the box retail, as I have. (But, its easy for me to say since, as a developer, they'll send it to me anyway. Course that cost me $500, but this is just another $129 discount I'm getting, on top of the $2,000 in other discounts I've already gotten.)

Apple treats its people well. Cheapscates will always whine when you try to charge for something that was free...while they happily use iTunes and don't pay for it and give it no value.

Thats one downside to opensource-- its played into the pricing psychology discovered long ago. People will value something based on what you're asking for it. Ask $700 for a piece of software and they'll think its a great deal if they get it for $500. Ask $500 for the SAME SOFTWARE and they'll think its too expensive nad your sales are lower.

Give away software for free, or internet services for free, and nobody pays for them-- which is why nobody's got a successful subscription service on the net (except for a couple situations.)

Apple thought the added value of growing the userbase would offset the costs-- but it didn't, the costs were absurd, and so they are solving hte problem. Much as I hate to pay for .Mac, even though I'm getting a great deal at $50 and have lots of free software to balance it out, I would rather have them do this than have them eliminate the service.