Slashdot Mirror
A Little .Mac Security Flaw
deleuth writes "The de facto online connectivity software sold along with many Apple computers, .Mac, has a Web interface through which users can check their 'iDisk' while away from their own computer. However, there is no Log-Out button in this Web interface, so most users just close the browser and walk away... not realizing that their iDisk has been cached by the browser and that anyone who wants to can open up the browser, go back to the link in History, and get into their iDisk completely logged in. From here, files can be downloaded and/or deleted. This seems like a minor security flaw via bad interface design, and podcaster Klaatu (of thebadapples.info) posted this on the discussion.apple.com site, only to have his post removed by Apple. Furthermore, feedback at apple.com/feedback has gone unanswered. The problem remains: there is no way for the average computer user to log-out of their iDisk on public computers. A quick review of any public terminal's browser history could bring up all kinds of interesting things."
Am I the only one that notices that Apple's response to every problem is a swift "let's delete this topic and pretend the problem doesn't exist"? .. Seems like bad business practise to me.
Free means no restrictions, ironic the FSF's GPL forces restrictions, isn't it? What's your definition of free?
I love how this is a "little", "minor" security flaw, and even though Apple actively deleted the post exposing this information nobody's really up in arms as it's just due to "bad interface design". If this were a Microsoft property, people would be screaming bloody murder.
step 1. use firefox
step 2. ctrl+shift+del
step 3. ?????
step 4. profit
Tools > Clear Private Data in Firefox is the option you need.
Not having a log out button is bad design but many people forget to click them, you need a decent timeout to reduce the risk for those that don't log out.
Does this system keep you logged in (via cookies) if you close the browser and restart it? If so that's a very bad design.
Ah, well, see, so long as Apple makes sure no knows about this, it won't be a problem. Surly everyone on Slashdot sees the validity of this strategy. (God I love my sig)
If you are about to mod me down, keep in mind that this post was most likely sarcastic.
After accessing your iDisk in Firefox:
In Safari:
Or if you remember to do so before visiting .Mac's iDisk page:
Problem solved.
So yes, there are ways for the average user to log-out of their iDisk from a public terminal. They just simply have to use the existing facilities at their disposal.
Yaz.
Is the iDisk connection encrypted, or is it wide open?
This sounds like a job that some sort of graphical SSH frontend could do better. (since OS X has ssh support built in)
"It is a denial of justice not to stretch out a helping hand to the fallen; that is the common right of humanity."
Slashdot editor kdawson and Slashdot submitter deleuth mysteriously disappear...
I've never noticed that before. Probably because desktop WebDav on OS X is so slow that I just use dedicated client apps. The poster isn't being perfectly clear on the whole process for accessing your iDisk via dot mac. Here's how it goes. You sign into dot mac, then you sign into your iDisk. Same username, same password for both. You get a web page that access your WebDav folder on Apple's servers. Signing out of dot mac doesn't sign you out of the iDisk. A simple history check pulls it right back up with full write access to your iDisk (clearly not from web cache). No one would expect that behavior. I would assume there is a network idle time out, as dotmac has.
In real experience terms, this isn't going to be much of an issue until it's fixed, but does put a small stain on the portability of the service. Which is one of Apples main advertising points for it. Gotta remember though, Apple, like all other companies is filled with a lot of people. There are moderators on Apple forums, for all we know one of them removed it then notified management of the problem and it's working it's way up the command. It's not like Steve Jobs read it and said, "OMGWTFBBQ!?!?! PULL THAT NOW!".
Though, the extra publicity will help.
Burn Hollywood Burn
I am an new Apple user. And reasonably happy.
However, there is one thing that I am very troubled by and it is simply this: Apple apparent arrogance and ignorance when it comes to security.
Apple has enjoyed a "blanket" of security because it is low profile and a niche. However, as its market share and mind share expands, this period of respite will soon fade.
You would think that, during this time, Apple would have used the opportunity to develop and internal culture, policies and procedures, as well as infrastructure for dealing effectively with security issues. However, the complete opposite appears to be the case.
Apple has failed miserably to publicly and actively address such issues. It also fails to respond in anything that could be called a rapid manner to reports of exploitable security holes. Taking actions such as deleting posts that point out security problems makes the situation worse, not better. Failing to publicly document the existence, status and nature of defects makes the situation worse, not better. Being secretive makes the situation worse, not better.
Apple makes decent hardware. Leopard is very nice to use, though far from perfect. The whole ecosystem and vertical integration is nice. However, the whole thing could come crashing down because of a serious security flaw. If people think Microsoft is susceptible to such a scenario, the Apple empire is even more so.
It's not a question of if, but when. Will Apple be prepared? So far, all signs point to "NO".
PS... the CAPTCHA word for this post was "condom".. how appropriate considering the whole point is to have a good profolactic. A good metaphore for Apple's current approach to security.
Yet another incident where Apple blatantly ignores the customers they claim to value so much...and they will likely continue to do so until there's such a shitstorm about this that they have no choice but to respond. Apple used to be a good company...ten years ago. Now they're just as bad (if not worse, in many regards) as every other IT giant out there. Sad.
I'm a geek girl. Seriously.
It sounds neat but mom isn't going to use it. My way to do the same thing is just to ssh to my desktop at work and do whatever. So, I wouldn't use something like iDisk. It is also neat that you can share large files with your buddies. otoh, people can share movies online without iDisk.
So, my question is, how many people actually use iDisk? How much of a problem is this actually.
. . . It just *works*
Free means no restrictions
Your basic premise is wrong.
"When I first heard Daydream Nation it quite frankly scared the living shit out of me." -- Matthew Stearns
If you suppress bad news, it doesn't exist!
"The fight for freedom has only just begun." - Geert Wilders
Just another flaw to go alongside the "reliability flaw" and "value-for-money flaw".
First, Apple, stole the syntax from MS. Now they're implementing unsafe computing practices. What next, EEE?
It is dangerous to be right when the government is wrong.
No SSH session for transmission of personal data, and reliable logout for protection? Insane security practice from a now UNIX-certified OS vendor, especially when it comes to something so private as the transfer of one's hard disk contents to an internet backup? Ah well, it was bound to happen, and it has probably happened in the past, and will likely happen again in the future. Anyone can slip up.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Huh? You seem to have conflated their corporate policy, which is sometimes very stupid, with their security policy, which is generally good. The two have nothing to do with each other. Apple's overzealous moderation of their own forums is well known, and unfortunate. But it has nothing to do with how well they manage their OS security and how well they respond to exploits.
You are very mistaken, this incident does prove that Apple's security policies and responses are indeed lacking. Don't get fixated on the deletion of a post, consider that they did not respond by adding a logout option to a *web* interface.
And a public street. Or an employers computer. Etc, etc, etc.
Indeed; I'm somewhat amused that this is described as a "minor" security flaw in the summary and blamed on the user interface. If it was a Microsoft web site it would be described as a major flaw and the foaming at the mouth would begin. Nor is it a user interface problem; by using session cookies closing the browser would logout the user, with or without a logout button.
The site listed (but not linked) in the summary doesn't describe the issue as minor, or a UI problem, so one can only assume that description comes from the summary author.
Anyone can slip up.
Ah, but this is Slashdot, where corporations are composed of primordial evil and capitalism is the beefy fart of the Devil. Every slip up is cause for running to the hills to prepare revolutionary strikes, and then run to the other hills and plan counter-revolutionary terror, and we all run around like decapitated chickens shouting comforting mantras like "Information wants to be free!" and "It am teh suk!"
This story is stupid.
.Mac at mac.com - notice big LOG OUT text button on the top right
Step 1: Log into
Step 2: Click to go to my iDisk - iDisk pops up in a new window
Step 3: Finish using iDisk, close window
Step 4: Click the big LOG OUT text button
dotMac also times out after 30 minutes and forces a re-authentication.
In other news, your computer is broadcasting an IP Address RIGHT NOW.
- "When you want something with all your heart, the entire universe conspires to give it to you" -Paulo Coelho
If you let someone have full access to your computer, they can delete personal files and directories! News at 11!
The Reg is currently questioning Apple's approach even in addressing well-known security vulnerabilities that it has actually acknowledged:
http://www.theregister.co.uk/2007/12/15/apple_security_fixes/
Really, if the public terminal isn't configured to automatically clear the data when the person has finished there's a problem.
Am I the only one that notices that Apple's response to every problem is a swift "let's delete this topic and pretend the problem doesn't exist"? .. Seems like bad business practise to me.
This happens all the time on corporate forums. The really infuriating part is that the admins also delete posts advocating a move to another forum without censorship. The only way to take discussion to sane place is to find topics before they've been deleted, see who's interested enough to post in those threads, and PM them with an invitation to a different forum.
as they attract people who are responsible for Windows security issues to their platform they will be vulnerable to the same opportunities.
If they can already access your mac, then I think the last thing you would worry about is your .Mac account.
I thought that session cookies died when the browser window closed - or does .Mac use URL rewriting?
Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
That's why I "like" Apple.
If you don't like something about them, it's you who is wrong.
And now, if you suspect/have proved a security flaw, you still are on the wrong side of things.
Microsoft locks you in to software, leaving hardware selection free, Apple locks you in completely. Now tell me who's worse.
How much are your bosses at Apple giving you for this as a bonus?
A far more pressing concern is that data is transmitted to and from your iDisk insecurely. No one should be storing any sensitive data on their iDisk.
I wonder if this article is about how Apple is sweeping problems like dust, under the carpet. Sounds very Microsoft'ish. However, it's also very likely that Apple really takes care of those problems, but I don't understand why to hide them as if they didn't exist at all.
OOOh if it's a Mac it's little but if it was in Xp or Vista (gasp) it certainly was a major catastrophe!!!
Or they could use a session cookie that is deleted when the browser is closed.
I know good and well that with Apple finally coming of age (to a degree) there's more folks out there that just me chuckling not only at the security issues that are popping up, but at Apple's reaction to all of them. Here's a tip to Apple - it's only going to get worse, and that mound under the living room carpet is getting to large to hide.
Patrick Doyle
I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
This sounds like an opportunity for Apple to add a logout feature for HTTP Basic authentication to their browser. After all, they control both the browser and .mac; they can make this work. I've never understood why there is no logout feature for HTTP Basic authentication.
.mac actually uses HTTP Basic auth for authentication (if I were to guess I would guess not), but still.
I don't know if
Please correct me if I got my facts wrong.
If it was Microsoft deleting posts which they didn't like the blogers would be frothing at the mouth and looking for ankles to bite.
Apple, which has a long history of this, seems to go unnoticed.
No sig today...
If someone has physical access to your machine, you're completely screwed 5 ways from Sunday REGARDLESS of the access controls in place. There is NO protection from such an attack. Consider the situation where the site did require a login: the person who gains access to your machine then installs a keylogger and steals your password. SAME conclusion. The key concept here is that no security is invulnerable once you lose control of the hardware. The RIAA and MPAA have been learning this lesson for the past few years. The only way to secure your data, is to encrypt it and carry the security token which holds the decryption hardware and/or key with you. Given enough brute-force or cryptanalysis, even this solution is vulnerable. Some future advancements in security might solve this fundamental problem, but given current knowledge it's simply impossible. In conclusion, the design of Apple's iDrive service is not a security flaw.
Higher Logics: where programming meets science.
the idisk designed for accessing your files from public places, leaves all your files available for the next person to login! yet instead of do something about, it changing cookies to session cookies would take less than an hour, apple delete and ignore the post.
And then everybody dumb enough to pay loads for whats basically ftp hosting with a nice little script, instead of being annoyed, jump to defend apple!
steve says jump, you say how much $$$!!!
This whole article seems to be based on the lack of a "log out" button, except... there is a log out button!
Here's a screenshot
It's right there in the top right.
Just tried it to check, and when I close the iDisk window, Safari crashes.
In Firefox: Ctrl+Shift+Del = solves problem In Internet Explorer: Tools --> Delete Browsing History = also solves problem.
I though all Macs were used for doing some graphics. How risky can it be?
(/sarcasm)
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
But if those opportunities lead to nothing serious, then it still doesn't matter.
What matters though, is for Apple to make sure they fix every vital security flaw they can with current software, implement even smarter security design in the future and continue to be the better choice for those who use their computer for traditional computing, ie. in the creative and journalistic area, internet-related usage (e-mail, web, IM, SFTP) and *NIX (ssh, text editing, programming, etc).
"People are stupid. Persons are smart" -- Agent K, MiB.
Right next to your username.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
A similar incidentwas previously covered up until exposed here
It is no different from leaving the house open and blaming the manufacturer of your dining table manufacturer for not protecting against this possible scenario.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Let's try it with
History > Clear history
Apple+Option+E...
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
when it comes to Apple. But you screwed up: when you're jerking that knee at something they've done, you *must* include the requisite statement: "but if this were Microsoft, you'd all be up in arms..."
Apple used to be a good company...ten years ago.
Ten years ago their stock was ~$15 a share. Right now it's $190 per share, and that's after a few splits. I would trade one of your kidneys for a few hundred shares of 1997 Apple stock.
if you access your idisk via the URL idisk.mac.com/username, there is no logout button but the session is killed when you quit the browser, thus requiring you to login again when you try to access it. You can also access it via www.mac.com, it's in the navigation on the left. In this case though there IS a logout button. It's in the upper-right corner of the page. So what seems to be the problem here?
"You claim that what forum admins do is unrelated to security. That is mistaken. Either a forum admin failed to report a security issue or they forum admin reported it and no one felt the need to update a *web interface* in a timely manner. Either scenario indicates that something is lacking at Apple."
...
... and that user forum administrators are in no way able to evaluate what is a stupid user error vs what is an actual security issue across the hundreds of different hardware and software combinations Apple offers.
Or it indicates that user forums are not the place to report security flaws,
If that were the case you are merely demonstrating where one fault may lie. No communication channel should disregard a security flaw report.
Again, you merely demonstrate where one fault may lie. No one is saying that a forum admin should evaluate the validity of the issue. What a forum admin should do is forward the issue to someone who is competent to make that evaluation. By deleting a post and not forwarding the info the admin would in fact be making such a determination and that would be wrong if it is the case.
Also you are creating a silly red herring. This particular security problem is independent of hardware or software. The problem and fix lie in a *web* interface.
If you think every forum post should simply be echoed to the bug tracker, that's your prerogative, but it seems to be a great way to waste a lot of the qualified bug-squashers' time.
Another silly red herring. There are qualified people between the forum admin and the developers. Isolating developers from the noise is a common thing in many organizations. If your silly scenario were true, if a forum guy could directly contact a developer then that would be yet another example of where a shortcoming may lie.
Misrepresenting my position will not revive your failed logic. My position is that the communication channel is irrelevant. Any security issue reported in any manner should be evaluated by a qualified individual. If the report is not made to such an individual it should be forwarded to one. Once verified if should be addressed in a timely fashion. While we do not know whether the issue was properly forwarded, we certainly know it was not addressed in a timely fashion. Again, we are dealing with a *web* interface, not something that requires a software update.
If Apple were unwilling to immediately update the web page and server side glue they should have at least issued an alert informing customers to clear their browsing history when using a public terminal to access their iDisk. Their failure to do either indicates that there is a shortcoming somewhere, period.
You realize that the post was probably deleted by someone in poorly-trained low level support monkeys, right? Apple has a bug reporting system and an email for security issues. Use them, not the forums, if you want to make sure the post is actually evaluated by someone with understanding of... well, anything technical.
You are merely describing what may be the specific shortcoming of Apple's organization. By ignoring the report because it was made via an inappropriate channel the monkey is in reality making a determination of the validity of the report. The monkey should forward the report to a non-monkey.
admittedly not relevant for everyone, but synchronizing calender, contacts mail accounts and bookmarks across various macs/users/offices is really great. If there is something cheaper that works as reliably and easily (automatically without being prompted) I would like to know. I don't use any of the other features although the gallery is nice.
I saw the title, "A Little .Mac Security Flaw", and immediately thought of the campaign song of George B. McClellan when he challenged Abe Lincoln in the 1864 presidential primary. His campaign song began with the lines: "Little Mac, Little Mac, You're the very man, go down to Washington soon as you can." and no, it's not because I'm a history maven or Civil War buff. When I was a kid I had a record, "Huckleberry Hound for President", built around Huckleberry Hound running for president, and one of the things they did was go through old presidential campaign songs looking for something to use for Huckleberry.
The things that stick in your head from when you're a kid.
In theory, theory and practice are the same; in practice they're different. (Yogi Berra & A. Einstein)
I think that "de facto standard" is undergoing the same illiteracy shift as "treasure trove" did, where people don't understand how to parse the phrase, mistake the noun for the adjective and vice versa, and start using the adjective as if it were the noun. Please, help fight this shift in the language. "De facto" is a much more important term than "trove" ever was, so it's essential to our continued ability to communicate effectively that it not lose its meaning and come to just mean "standard." Thank you for your support.
People keep saying '.mac has a logout button' and 'you can just click here and here to delete your cookies'. That's not the story! The idisk software is lacking a logout button, it is PART of .mac, not .mac. And if you didn't get that from reading the article, surely you understood it from reading other posts. In their rush to defend the indefensible, they blew past the article and and said something that is arguably moronic.
Before you mod me troll or flamebait, it's just an observation not an attack on anyone.
If you want to access private data on a public computer, just delete the browser's recent history when you're done. And the fact the comment was deleted means Apple knows about it (and might fix it). Did you think about the possibility that Apple is fixing it now, only they don't want a bunch of people looking at the forum to get the idea to access other accounts by looking at the History?
function logout() { // kill cookie / session
}
(yes I know Jscript is a poor choice of language here, I am simply proving a point)
In the time it has taken me to read this thread, this issue could have been fixed. As a mac user, I am very disappointed in such a simple, yet potentially deadly flaw. I am even more disappointed in the forum admin deleting the thread. I am even more disappointed in the posters on /. who are defending this, simply because it happened to "our side".
This should have been fixed within an hour of being reported. My clients are much, much smaller than Apple, and they have far better web security than this. Simply unacceptable.
Bad timing too. I was considering upgrading to Leopard, and paying for a .mac to use remote backup. Now I wonder how secure my data would be. More damaging: I don't trust this company to tell me if a problem appears.
barack to the future?
There is an option to reset Safari, the same way Firefox does its clearing private data. It's found in Safari -> Clear Private Data.
On top of that, there's a mode specifically made for public terminals called "Private Browsing" which automatically deletes all session data when the browser window closes.
Along with the lack of a logout button, the problem here is compounded by users not using the software properly.
Because I am a mean old man, on at least one occasion I have visited the Apple store only to find someone has used their personal iChat login on a machine...
.mac history elements, but I am not sure I am mean enough to delete all of someones stored files...
How does this make me a mean old man?
When I find that mistake has been made, I delete all their buddies from their buddy list before closing iChat.
I have to admit, I never thought of looking for
Though I have considered sending (but have never sent) "I hate you, never talk to me again you lying slut" messages to the iChat buddies first.
I am trying to educate little darlings, but telling there buddies to fuck off would prevent the lesson from spreading...
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
Because I am a mean old man, on at least one occasion I have visited the Apple store only to find someone has parked their new car in the parking lot...
How does this make me a mean old man?
When I find that mistake has been made, I run my key down the side of their car before leaving.
I have to admit, I never thought of looking for new tires, but I am not sure I am mean enough to slash someones tires...
Though I have considered smashing their windows.
I am trying to educate little darlings.
This would be a far more serious issue if this was, at all, a standard way of connecting to the idisk. The standard methods on both mac and windows both allow for secure logout, no issues at all.
That said, the response is weak-sauce. Not only Apple's, but the standard idiotic jokes about how Apple must be perfect.
It's as though all you awful lifeless Linux-loving losers have nothing better to do than pretend that Apple users are all idiots, or that we all think our preferred computers are actually perfect. I know that most of slashdot is filled with low-grade morons who think that Gentoo is better than OS X and Vista (LOL) but give us a fucking break. There's a problem.
At least give the company involved some time to respond before you decide that it's time to break out the pitchforks.
I laugh at these sort of security hole "the sky is falling" threads. If someone has access to you computer so they can inspect you iDisk, then you probably have more to worry about than what you saved on it.
It's more like finding someone had left their keys in their car's door... and moving the car to a far part of the parking lot to teach them a lesson. Someone once told me they'd done that, and was surprised that I didn't think it was terribly funny.
Surely there's some way in iChat to leave them a note.
There's many classes of related problems here.
.Mac login screen would have a warning against using it from any location where this exploit was possible in the first place, and you would be able to indicate that you were working from an untrusted location, and if so you would be automatically prompted for your password after what most people would consider an annoyingly short period of inactivity...
... particularly at public locations ... really shouldn't be used for anything more than googling restaurants and browsing wikipedia.
You have sessions that are not terminated explicitly when the user leaves the work area. Leaving yourself logged in has been a problem as long as there's been remotely accessed computers. I remember sitting around in the computer center in the dark back in the '70s because the mainframe we were using automatically resumed checkpointed jobs and the computer center had a policy of not terminating them for power outages less than some period of time.
You have reusable authentication tokens or session IDs that aren't automatically revoked.
These combined are a common problem thanks to the statelessness of the web.
Adding to that the inability to explicitly log out?
Not good.
On the other hand, using shared devices with non-trivial persistent state is also a problem. At Usenix one year the word went out that everyone who had used Kerberos logins at the Usenix terminal room should change their passwords, because they'd found some trapdoored Kerberos software on a terminal there. As originally designed, Kerberos was meant to be used with workstations that were trivially re-imaged over the network... they had no persistent state. Now whether Athena workstations were really used that way or not, I don't know, I wasn't at MIT... but the intent was that they be treated as dataless workstations.
Any system running a web browser, unless it's operated by someone you trust and either re-imaged before you use it or locked down so that even a local attacker using the browser can't initiate a remote execution exploit on it, is not sufficiently secure that you should be trusting it with passwords or other authentication tokens that can be used to access any resources that you actually care about.
If Apple wanted to really attack security here, then the
And track IP addresses, so if you log on from an IP address that someone else had used, you got put in this mode automatically.
But, really, shared computers
not a problem if you enable Private Browsing in Safari
Klaatu barada nikto!
(From Safari Help)
When private browsing is turned on:
Webpages are not added to the history list.
The Downloads window is cleared so the name of anything you downloaded won't appear in the list. (To get rid of the downloaded item itself, you must delete it.)
Information isn't saved for AutoFill, including names and passwords.
Searches are not added to the pop-up menu in the Google search field.
Cookies are deleted.
(Yes, I was a dick, I think I made that perfectly clear in the text.)
For the analogy to be correct, the new car would have to have been left running, unlocked, and unattended in the parking lot and I would have had to take it out and get it what? have it cleaned?
People who leave their cars running and unlocked and unattended get their cars stolen all the time. I didn't "steal" the account nor do the equivalent of taking the keys and throwing them into the bushes.
I also didn't take the car for a ride and run it into things or rack up a bunch of red-light camera offenses. (other people had been sending messages on the account).
Nor did I copy down the registration information and use it for my own purposes (someone had been looking through chat logs for phone numbers and such if the open window contents were to be believed).
So yea, I was a dick. Not my best moment by a long shot. I started with that. But at least criticize me with a reasonable analogy and perhaps understand why I shared the story in the form of a cautionary tale. 8-)
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
Comment removed based on user account deletion
We don't know if Apple REALLY removed comments, or if this guy is just claiming they did. Secondly, we don't know the content of his comments. Perhaps they were vile and inappropriate and/or non-contructive? I'm trying to find more "proof" of this claim, but there is nothing linked in this /. "story". There's always a second side to the story as they say...
What a minute, I've looked through all of the 4 mod level posts here, and I see defenses and attacks on apple, but has anyone actually bothered to try this?
So... what the hell? Of course, what is a little more serious is that this data is all being sent plaintext, but the story as posted doesn't seem to be true, at least based on my casual test.
Also, isn't it considered good form to bother providing a link to the story we're summarizing? I know this is slashdot and no one bothers to read the text anyway, but for those that do, having to copy/paste URLs and browsing the site for the story being discussed is kind of stupid.
I am not disagreeing with a single thing you said. It sounded like the parent wanted the report read by someone knowledgeable, and I pointed them in the right direction. If the goal was indeed to get it before eyes, I helped. If it was merely to complain, I did no damage. Nowhere did I defend any policy, only describe it.
Quoting from the article === "so most users just close the browser and walk away"
I discovered a similar security hole in Microsoft Windows --- a colleague at work just closed IE and walked away so I deleted a lot of files from his C: drive!
If you look at any Finder window, you have a bar on the left hand side. If you right-click on the iDisk icon, you get a pulldown menu with the Eject option...
At least this works for my own iDisk on my own Mac.
If you don't see the bar on the left, you should activate it with the tiny rounded-rectangle button on the upper right of the Finder window.
Funny, I seem to have a logout button too (and had one long before this "article" came out). And if, after clicking it, I "go back" in the browser, I have to log in again. Nothing gets cached for me. Now if I mount the iDisk on my desktop, it tends to hang around, but then that's how network drives are supposed to work. Cheers, tb
We are an excellent manufactory and exporting company ,Our manufactory specializes in supply NiKE shoes,such as air jordan series,air force I series,air max series,shox series,dunk series etc,in our company,we have no minimum quantity for shoes,you could order any quantity every time.all of shoes have original boxes,retro cards.Besides,we could supply brand boot,jeans,T-shirt,hoodies.
For more information,pls don't hesitate to contact us,we will give you the best service in time.
Contact information:
MSN: sportdotey@hotmail.com
Email: sportdotey@yahoo.com.cn
Website: www.sportdotey.com
There is a log out button always has been. Top right corner. Maybe it just takes someone that has half a brain to figure things like that out. Plus if you close a web browser on a publicly used computer PC/Mac with out clearing the browser's history and cookies it is your fault for being a rookie. Want safety and security use a Mac want something worthless pickup any Microshit product, I bet hotmail is much safer that .Mac lol
I didn't buy it so I tried it. I opened Safari and connected to my iDisk on the web. I quit Safari and went into history and I was asked for a password. I guess had I not quit safari and the session had not timed out, maybe then but I think I could run into that on Amazon! Am I missing something? Maybe that is why Apple deleted the posting because it was wrong! Just a thought?