.Mac Webmail Security Hole Allows Arbitrary Access 40
TexTex writes "Apple's release of .Mac brings their webmail system to the front as one way for .Mac users to access their email (previously webmail was in beta under iTools). However, it seems the URLs that Apple's scripting uses point directly to individual messages rather than requiring you to log in first. So I'm able to type any message's unique URL from any computer and read the contents, regardless if I'm a user of .Mac or not, and without logging in. MacFixIt has a full report of one reader's findings." While the URLs may not be easy to guess, they will show up in referer logs if a webmail user clicks a link in an email to go to another web site.
How quick to fix? (Score:1)
Shouldn't take long. (Score:1)
Re:How quick to fix? (Score:1)
According to MacFixIt, it's fixed.
Been there, done that (Score:3, Informative)
-Andrew
Re:Been there, done that (Score:5, Funny)
Re:Been there, done that (Score:2)
you could use "eh" as anyone's password and it would work.
I'm serious too
Thoose MS Hoosers!
Changed expectations (Score:1)
quite a hole (Score:1)
Re:quite a hole (Score:5, Funny)
> that constitutes quite a hole. I'd imagine Apple will be
> quick to fix it though...they're getting enough media
> flak for charging for the service now.
Acutally, with Apple's current track record, they'll make a fix, but to get it, you have to pay an extra $29/year to upgrade to a "premium" account. Luckily, they'll bundle a rock that keeps tigers away (a $59 value), so it will still be a good deal!
Re:quite a hole (Score:1)
Just like the fix for Software Update that came less than a week after the exploit was published (and Apple wasn't even contacted first).
Apple has a good track record for fixing the limited security issues that have been exposed. I'm confident this will be fixed in less than 5 days.
Referer-Headers are evil (Score:1, Interesting)
Re:Referer-Headers are evil (Score:1)
Well, if you run a website, they're pretty useful for finding out how people are getting to your site, what they're searching for to get to it, seeing which big site is linking to you and sapping all your bandwidth, etc. etc. Those are just off the top of my head.
Of course, the main reason is that, without referer logs, you'd never have sites like Disturbing Search Requests [weblogs.com].
Re:Referer-Headers are evil (Score:3, Interesting)
1) If a page normally displayed within a frame set is navigated to from outside of the site it would not appear within the frame set. The page would be without its main form of site navigation.
By checking the referrer header in javascript you can cause the page to be reloading within the frame set. This is one way you can repair frame sets.
2) The referrer header allows a page author to see who is linking to him. A useful statistic.
3) You can set up a redirect on your site so people linking from slashdot end up seeing google's cached version of your site so you don't get Slashdotted.
Just some things of the top of my head, there are probably more legitimately useful things to use it for.
Apple and security (Score:4, Interesting)
At MacFixit, the also point out that Apple's German version of the webmail service is so badly translated (archiv does not mean trash in English, Apple) and I find it Ironic that the info and post is on MacFixit, a site whose excellent service to the Mac community got it blacklisted by Apple at the last BS MacWorld NY.
Once again Apple: wake the fuck up.
Hmmmm. (Score:4, Funny)
Someone call Alanis Morissette, this is the real thing.
NOT a security hole. (Score:3, Informative)
Cheers
Re:NOT a security hole. (Score:1)
Or, at least that's how I implement stuff like this.
Re:NOT a security hole. (Score:1)
Re:NOT a security hole. (Score:1)
Re:NOT a security hole. (Score:2)
If a user reads a malicious e-mail i sent which has link to somewhere on my web server, if i happen to be tailing my logs at that very moment, chances are i can turn around and paste their referrer URL into my own browser and be reading their e-mail.
But that's an issue with URL-based session persistence/authentication tracking overall. This should at the very least be coupled with checking against the user's IP address.
But a Cookie-Based session persistence scheme would seem more appropriate/secure in this case.
I do hope Apple also took care of client-side scripting vulnerabilities. mmMMm.
Lets all Bash Apple! (Score:5, Insightful)
This is silly. First off, the URL is only valid for 15 minutes or so.
Secondly, it is such an easy fix, I wouldn't be surprised to find out that it isn't already fixed and implemented. All they have to do is check the ip address of the machine making the request, or move to cookies for session info. Or, better yet, go to SSL.
I can understand people being pissed about having to pay for
But to have the highest moded post in this discussion being a straight out bash calling for Apple to "wake up" is absurd- and ignores the fact that they have long been delivering the best value for the money of any computer maker out there. They don't charge for iTunes,($30 worth), iMovie ($20 worth to me), Quicktime ($20 worth to me - I get pro features by writing my own player, the codecs are worth $20 to me easily.) iCal or iSync, $25 and $5 respectively. Mail.app, $25, Deve environment is worth $300, Sherlock3 is worth $30, iDVD $40 worth..... so in a sense, they've already paid for my first seven years of
If I'd had to buy that software retail it would have cost more than the values I've put down for it.
If they continue to deliver free apps,and add value to the one's already out there -- something they've shown a willingness to do, then I continue to come out ahead.
And to top it all off, if I wanted to, I didn't HAVE to pay for
The upgrade price of jaguar for current 10 users is a bit annoying, though. They add a lot and I understand why they're charging... but it should be $70 if you've already bought the box retail, as I have. (But, its easy for me to say since, as a developer, they'll send it to me anyway. Course that cost me $500, but this is just another $129 discount I'm getting, on top of the $2,000 in other discounts I've already gotten.)
Apple treats its people well. Cheapscates will always whine when you try to charge for something that was free...while they happily use iTunes and don't pay for it and give it no value.
Thats one downside to opensource-- its played into the pricing psychology discovered long ago. People will value something based on what you're asking for it. Ask $700 for a piece of software and they'll think its a great deal if they get it for $500. Ask $500 for the SAME SOFTWARE and they'll think its too expensive nad your sales are lower.
Give away software for free, or internet services for free, and nobody pays for them-- which is why nobody's got a successful subscription service on the net (except for a couple situations.)
Apple thought the added value of growing the userbase would offset the costs-- but it didn't, the costs were absurd, and so they are solving hte problem. Much as I hate to pay for
Re:Lets all Bash Apple! (Score:2)
This does not make it OK, or a "lesser" offense. If you really think so, lend me your credit card number for 15 minutes, I'd like a new Mac myself.
I tested the hole and hacked some guy's account (Score:4, Funny)
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10800000
Message-ID: 3D3C8A0B.3160711 @ mac.com
Date: Tue, 23 Jul 2002 13:10:34 -0400
From: SexySteve33 stevejobs@mac.com
User-Agent: Mozilla/5.0 (MacOS6; U; en-US; rv:1.0.0) Gecko/20020530
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: "Michael Dell" bigcheez@dell.com
Subject: Please UNSUBSCRIBE ME from your Mailing List
Content-Type: multipart/mixed;
boundary="------------080203142303090106000203"
This is a multi-part message in MIME format.
--------------080203142303090106000203
Content-Transfer-Encoding: 7bit
Mister Dell,
FOR THE THOUSANDTH TIME, "DUDE, I *AM NOT* GETTING A DELL"!! IF I SEE THAT STEVEN IDIOT ONE MORE TIME SMILING STUPIDLY AT ME FROM MY INBOX I'M GONNA SNAP! SPAM ME ONE MORE TIME AND I WILL COME DOWN THERE AND RAM YOUR GODDAMN "DULL LATIDUDE CRAPTOP" UP YOUR FAT WINTEL ASS!!
NOW REMOVE ME FROM YOUR EMAIL LIST!!!!!!!!!!!!!!!!!!!!!!1
I MEAN IT - YOU SEND ME ONE MORE DELL SPAM AND I'M SENDING YOU THE ENTIRE COLLECTION OF SWITCH ADS IN HIGH-QUALITY QUICKTIME FORMAT.
Sincerely,
Steve
"Michael Dell" bigcheez@dell.com wrote:
> How Would YOU feel behind the wheel of a brand new grey plastic laptop?
> Dell has a special one-time only deal on our fiery hot new P4 laptops,
> guaranteed to run twice as hot as the old ones!
>
> We see by your customer profile that you have never had the pleasure of owning
> a Dell. We would like you to switch! Now is the time for us as a wonderful vendor
> and you as a potential victim to get together and make sweet financial love.
[snipped in disgust]
BlackBolt
Please re-file this article (Score:1)
Just because you don't want to pay for it doesn't mean you have to spread ill-researched crap about it.
I'm keeping mine because I like the features. Roughly $8/mo isn't much to ask.
Now fixed (Score:1)
Macfixit are now reporting that the security hole is fixed:
Apple is not alone is embedding a session key into the URL. Users should be aware that passing one such a URL will (at least for a short while) enable others to use their login.
The hole has already been patched (Score:2)
Here's MacFixIt [macfixit.com]'s summary:
Proxy logs too. (Score:2)
Is Mac webmail encrypted?
Re:Proxy logs too. (Score:1)
Sounds like a fast fix. They patched it before I'd heard about it.