Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Little .Mac Security Flaw

Posted by kdawson on from the case-for-thumb-drives dept.

deleuth writes "The de facto online connectivity software sold along with many Apple computers, .Mac, has a Web interface through which users can check their 'iDisk' while away from their own computer. However, there is no Log-Out button in this Web interface, so most users just close the browser and walk away... not realizing that their iDisk has been cached by the browser and that anyone who wants to can open up the browser, go back to the link in History, and get into their iDisk completely logged in. From here, files can be downloaded and/or deleted. This seems like a minor security flaw via bad interface design, and podcaster Klaatu (of thebadapples.info) posted this on the discussion.apple.com site, only to have his post removed by Apple. Furthermore, feedback at apple.com/feedback has gone unanswered. The problem remains: there is no way for the average computer user to log-out of their iDisk on public computers. A quick review of any public terminal's browser history could bring up all kinds of interesting things."

6 of 328 comments (clear)

  1. The Cult of the Mac by urcreepyneighbor · · Score: 1, Troll

    If you suppress bad news, it doesn't exist!

    --
    "The fight for freedom has only just begun." - Geert Wilders
  2. The price of popularity by devolutionist · · Score: 0, Troll

    I know good and well that with Apple finally coming of age (to a degree) there's more folks out there that just me chuckling not only at the security issues that are popping up, but at Apple's reaction to all of them. Here's a tip to Apple - it's only going to get worse, and that mound under the living room carpet is getting to large to hide.

  3. Re:When Will Apple Learn by Loganscomputer · · Score: 0, Troll

    The cult of mac is angry! Since most mac users assume everything is ok and will be taken care of instantly you need to give examples of what has not been fixed when you post things bad about Apple. The Cult of mac (just like most religious movements) always respond in the same ways:

    1. Call the one making the statement ignorant and/or stupid.

    // This happens the most, even if you were to give examples they could answer to.

    2. You belong to another cult and therefore your word cannot be trusted.

    // I didn't see anyone calling you a microsoft fanboy here but it is only a matter of time.

    3. Try to correct the errors in your knowledge by providing examples of where you are wrong, regardless of if your concerns/arguements are valid.

    // I call this the helpful approach. It is found here several times.

    Usually a mixture of these responses are used. I seldom hear a you're right excuse. If anyone else has anyother rules that I have not added to the list I apologize. Late to bed, early to /. is probably not the best combination. Just remember saying anything about Apple is flamebait, good or bad.

    --
    Wearing a hat keeps out the voices.
  4. Re:No, incident does prove Apple is lacking ... by kelleher · · Score: 1, Troll
    You just don't get it. Either security is a corporate priority - then all employees (even forum admins) are educated about how to handle reported security issues - or it's not. It's that simple.

    Now stop acting like a brainless fanboy and think a bit.

    Apple screwed up.

    First they deployed an internet based service without a proper security review (or had it reviewed by less than qualified staff). And second, when it was reported they (sorry, but the forum admins do speak for the company - in this case perception equals reality) deleted the reports instead of providing helpful information and an eta for the fix.

    Now it's time for you to say it. Go ahead, say "Apple screwed up." Admitting you're a fanboy is the first step of recovery. It won't hurt you or Apple - I promise. But it will lift up the rose-tinted glasses you're wearing.

  5. Funny Apple-Store exercise... by IBitOBear · · Score: 0, Troll

    Because I am a mean old man, on at least one occasion I have visited the Apple store only to find someone has used their personal iChat login on a machine...

    How does this make me a mean old man?

    When I find that mistake has been made, I delete all their buddies from their buddy list before closing iChat.

    I have to admit, I never thought of looking for .mac history elements, but I am not sure I am mean enough to delete all of someones stored files...

    Though I have considered sending (but have never sent) "I hate you, never talk to me again you lying slut" messages to the iChat buddies first.

    I am trying to educate little darlings, but telling there buddies to fuck off would prevent the lesson from spreading...

    --
    Innocent people shouldn't be forced to pay for inferior software development.
    --"Code Complete" Microsoft Press
  6. Re:No, incident does prove Apple is lacking ... by SallyShears · · Score: 0, Troll

    Apple has a bug reporting system and an email for security issues. Use them, not the forums...

    Apple forums are for users helping users. No gripes or sour grapes allowed. No drum beating. Any post sounding like such will be deleted. Has angered some real contributors.

    -- Sally