Slashdot Mirror
.Mac Webmail Security Hole Allows Arbitrary Access
TexTex writes "Apple's release of .Mac brings their webmail system to the front as one way for .Mac users to access their email (previously webmail was in beta under iTools). However, it seems the URLs that Apple's scripting uses point directly to individual messages rather than requiring you to log in first. So I'm able to type any message's unique URL from any computer and read the contents, regardless if I'm a user of .Mac or not, and without logging in. MacFixIt has a full report of one reader's findings." While the URLs may not be easy to guess, they will show up in referer logs if a webmail user clicks a link in an email to go to another web site.
I vaguely remember something like this happening with Hotmail about 2 years ago. Somebody even figured out how to generate the URL's given a username, so you could go and read anybody's hotmail if you wanted to. The hole was probably a little different than this, but it's along the same lines.
-Andrew
> I've not tested this yet on other random numbers but
> that constitutes quite a hole. I'd imagine Apple will be
> quick to fix it though...they're getting enough media
> flak for charging for the service now.
Acutally, with Apple's current track record, they'll make a fix, but to get it, you have to pay an extra $29/year to upgrade to a "premium" account. Luckily, they'll bundle a rock that keeps tigers away (a $59 value), so it will still be a good deal!
Insert simplistic political, ideological, or personal proselytization here.
As other's have pointed out Apple will take some flak because of this because of the move to a subscription of $100/year for the .Mac stuff. Apple has been good about responding to security problems generally but they will also have to realise that the renewed popularity of the Mac and OSX is going to atract some "insects" to the light, so to speak. This is the same hole as Hotmail had about a year ago and Apple would be advised to wake up and be more careful in future.
At MacFixit, the also point out that Apple's German version of the webmail service is so badly translated (archiv does not mean trash in English, Apple) and I find it Ironic that the info and post is on MacFixit, a site whose excellent service to the Mac community got it blacklisted by Apple at the last BS MacWorld NY.
Once again Apple: wake the fuck up.
Someone call Alanis Morissette, this is the real thing.
-braxton
They can be useful...
1) If a page normally displayed within a frame set is navigated to from outside of the site it would not appear within the frame set. The page would be without its main form of site navigation.
By checking the referrer header in javascript you can cause the page to be reloading within the frame set. This is one way you can repair frame sets.
2) The referrer header allows a page author to see who is linking to him. A useful statistic.
3) You can set up a redirect on your site so people linking from slashdot end up seeing google's cached version of your site so you don't get Slashdotted.
Just some things of the top of my head, there are probably more legitimately useful things to use it for.
Don't blame me - this
A little research is usually good, and a basic understanding of how WebObjects works usually helps. When you login to a webobjects app (webmail in this case) you get a unique session id that becomes part of the url and is passed to the app with every transaction. This is how it identifies the user. This session id is only used once. If the user logs out, and logs in again, they get a new session id. What is happening in this case is that whomever discovered this "security hole" copied the url to the email, did not logout of webmail, quit the browser (or opened a different one) and pasted the url in there, voila, the email shows up. However, if (s)he clicked the logout button before attempting to open the url it would not have worked. Try it yourself to verify if you don't believe me.
Cheers
Yet another excuse to Bash Apple.
,Mac-- people are cheap SOBs in general. Including me. They misexecuted this one.
.Mac by giving me software worth that much *to me*. And I didn't even include iPhoto, or the FCP and Cinema tools discounts that I get for being a Mac user.
.Mac.
.Mac, even though I'm getting a great deal at $50 and have lots of free software to balance it out, I would rather have them do this than have them eliminate the service.
This is silly. First off, the URL is only valid for 15 minutes or so.
Secondly, it is such an easy fix, I wouldn't be surprised to find out that it isn't already fixed and implemented. All they have to do is check the ip address of the machine making the request, or move to cookies for session info. Or, better yet, go to SSL.
I can understand people being pissed about having to pay for
But to have the highest moded post in this discussion being a straight out bash calling for Apple to "wake up" is absurd- and ignores the fact that they have long been delivering the best value for the money of any computer maker out there. They don't charge for iTunes,($30 worth), iMovie ($20 worth to me), Quicktime ($20 worth to me - I get pro features by writing my own player, the codecs are worth $20 to me easily.) iCal or iSync, $25 and $5 respectively. Mail.app, $25, Deve environment is worth $300, Sherlock3 is worth $30, iDVD $40 worth..... so in a sense, they've already paid for my first seven years of
If I'd had to buy that software retail it would have cost more than the values I've put down for it.
If they continue to deliver free apps,and add value to the one's already out there -- something they've shown a willingness to do, then I continue to come out ahead.
And to top it all off, if I wanted to, I didn't HAVE to pay for
The upgrade price of jaguar for current 10 users is a bit annoying, though. They add a lot and I understand why they're charging... but it should be $70 if you've already bought the box retail, as I have. (But, its easy for me to say since, as a developer, they'll send it to me anyway. Course that cost me $500, but this is just another $129 discount I'm getting, on top of the $2,000 in other discounts I've already gotten.)
Apple treats its people well. Cheapscates will always whine when you try to charge for something that was free...while they happily use iTunes and don't pay for it and give it no value.
Thats one downside to opensource-- its played into the pricing psychology discovered long ago. People will value something based on what you're asking for it. Ask $700 for a piece of software and they'll think its a great deal if they get it for $500. Ask $500 for the SAME SOFTWARE and they'll think its too expensive nad your sales are lower.
Give away software for free, or internet services for free, and nobody pays for them-- which is why nobody's got a successful subscription service on the net (except for a couple situations.)
Apple thought the added value of growing the userbase would offset the costs-- but it didn't, the costs were absurd, and so they are solving hte problem. Much as I hate to pay for
Yeah, and you guys panned the ipod too: http://apple.slashdot.org/article.pl?sid=01/10/23
From - Tue Jul 23 13:10:54 2002
C ontent-Type: text/plain; charset=us-ascii; format=flowed
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10800000
Message-ID: 3D3C8A0B.3160711 @ mac.com
Date: Tue, 23 Jul 2002 13:10:34 -0400
From: SexySteve33 stevejobs@mac.com
User-Agent: Mozilla/5.0 (MacOS6; U; en-US; rv:1.0.0) Gecko/20020530
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: "Michael Dell" bigcheez@dell.com
Subject: Please UNSUBSCRIBE ME from your Mailing List
Content-Type: multipart/mixed;
boundary="------------080203142303090106000203"
This is a multi-part message in MIME format.
--------------080203142303090106000203
Content-Transfer-Encoding: 7bit
Mister Dell,
FOR THE THOUSANDTH TIME, "DUDE, I *AM NOT* GETTING A DELL"!! IF I SEE THAT STEVEN IDIOT ONE MORE TIME SMILING STUPIDLY AT ME FROM MY INBOX I'M GONNA SNAP! SPAM ME ONE MORE TIME AND I WILL COME DOWN THERE AND RAM YOUR GODDAMN "DULL LATIDUDE CRAPTOP" UP YOUR FAT WINTEL ASS!!
NOW REMOVE ME FROM YOUR EMAIL LIST!!!!!!!!!!!!!!!!!!!!!!1
I MEAN IT - YOU SEND ME ONE MORE DELL SPAM AND I'M SENDING YOU THE ENTIRE COLLECTION OF SWITCH ADS IN HIGH-QUALITY QUICKTIME FORMAT.
Sincerely,
Steve
"Michael Dell" bigcheez@dell.com wrote:
> How Would YOU feel behind the wheel of a brand new grey plastic laptop?
> Dell has a special one-time only deal on our fiery hot new P4 laptops,
> guaranteed to run twice as hot as the old ones!
>
> We see by your customer profile that you have never had the pleasure of owning
> a Dell. We would like you to switch! Now is the time for us as a wonderful vendor
> and you as a potential victim to get together and make sweet financial love.
[snipped in disgust]
BlackBolt
Here's MacFixIt's summary:
No doubt.
Is Mac webmail encrypted?
War crimes, torture, lies, illegal spying... Would someone give Bush a blowjob, already, so he can be impeached?