.Mac Webmail Security Hole Allows Arbitrary Access

← Back to Stories (view on slashdot.org)

.Mac Webmail Security Hole Allows Arbitrary Access

Posted by pudge on Wednesday July 24, 2002 @11:41PM from the just-tell-me-where-to-send-my-money dept.

TexTex writes "Apple's release of .Mac brings their webmail system to the front as one way for .Mac users to access their email (previously webmail was in beta under iTools). However, it seems the URLs that Apple's scripting uses point directly to individual messages rather than requiring you to log in first. So I'm able to type any message's unique URL from any computer and read the contents, regardless if I'm a user of .Mac or not, and without logging in. MacFixIt has a full report of one reader's findings." While the URLs may not be easy to guess, they will show up in referer logs if a webmail user clicks a link in an email to go to another web site.

3 of 40 comments (clear)

Min score:

Reason:

Sort:

Referer-Headers are evil by Anonymous Coward · 2002-07-25 00:38 · Score: 1, Interesting

Is there a good reason to have referer-headers these days? As far as I can tell they are only abused for locking people out and discovering information that should not be discovered. Yes, the .mac implementation is asking for trouble with or without referer headers, but still...
1. Re:Referer-Headers are evil by Senjaz · 2002-07-25 02:54 · Score: 3, Interesting
  
  They can be useful...
  
  1) If a page normally displayed within a frame set is navigated to from outside of the site it would not appear within the frame set. The page would be without its main form of site navigation.
  
  By checking the referrer header in javascript you can cause the page to be reloading within the frame set. This is one way you can repair frame sets.
  
  2) The referrer header allows a page author to see who is linking to him. A useful statistic.
  
  3) You can set up a redirect on your site so people linking from slashdot end up seeing google's cached version of your site so you don't get Slashdotted.
  
  Just some things of the top of my head, there are probably more legitimately useful things to use it for.
  
  --
  Don't blame me - this .sig had steal me written all over it.
Apple and security by theolein · 2002-07-25 00:55 · Score: 4, Interesting

As other's have pointed out Apple will take some flak because of this because of the move to a subscription of $100/year for the .Mac stuff. Apple has been good about responding to security problems generally but they will also have to realise that the renewed popularity of the Mac and OSX is going to atract some "insects" to the light, so to speak. This is the same hole as Hotmail had about a year ago and Apple would be advised to wake up and be more careful in future.

At MacFixit, the also point out that Apple's German version of the webmail service is so badly translated (archiv does not mean trash in English, Apple) and I find it Ironic that the info and post is on MacFixit, a site whose excellent service to the Mac community got it blacklisted by Apple at the last BS MacWorld NY.

Once again Apple: wake the fuck up.