Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Apple Businesses

.Mac Webmail Security Hole Allows Arbitrary Access 40

TexTex writes "Apple's release of .Mac brings their webmail system to the front as one way for .Mac users to access their email (previously webmail was in beta under iTools). However, it seems the URLs that Apple's scripting uses point directly to individual messages rather than requiring you to log in first. So I'm able to type any message's unique URL from any computer and read the contents, regardless if I'm a user of .Mac or not, and without logging in. MacFixIt has a full report of one reader's findings." While the URLs may not be easy to guess, they will show up in referer logs if a webmail user clicks a link in an email to go to another web site.
This discussion has been archived. No new comments can be posted.

.Mac Webmail Security Hole Allows Arbitrary Access

Comments Filter:
  • They did pretty well on the Software Update security flaw - how long do you think they will take to fix this, given that it is a *ahem* Premium Service?
  • by torinth ( 216077 ) on Thursday July 25, 2002 @07:28AM (#3950470) Homepage
    I vaguely remember something like this happening with Hotmail about 2 years ago. Somebody even figured out how to generate the URL's given a username, so you could go and read anybody's hotmail if you wanted to. The hole was probably a little different than this, but it's along the same lines.

    -Andrew
  • Guess what, Apple? This would have been unacceptable in any case, but now that you're charging $100/yr for this service, customers (no longer just "users") or going to start being more demanding about service, reliability, and security. It's the flip side of the coin, almost literally.
  • I've not tested this yet on other random numbers but that constitutes quite a hole. I'd imagine Apple will be quick to fix it though...they're getting enough media flak for charging for the service now.
    • by sg3000 ( 87992 ) <sg_public@ma c . c om> on Thursday July 25, 2002 @07:45AM (#3950546)
      > I've not tested this yet on other random numbers but
      > that constitutes quite a hole. I'd imagine Apple will be
      > quick to fix it though...they're getting enough media
      > flak for charging for the service now.

      Acutally, with Apple's current track record, they'll make a fix, but to get it, you have to pay an extra $29/year to upgrade to a "premium" account. Luckily, they'll bundle a rock that keeps tigers away (a $59 value), so it will still be a good deal!
      • Right...

        Just like the fix for Software Update that came less than a week after the exploit was published (and Apple wasn't even contacted first).

        Apple has a good track record for fixing the limited security issues that have been exposed. I'm confident this will be fixed in less than 5 days.
  • by Anonymous Coward
    Is there a good reason to have referer-headers these days? As far as I can tell they are only abused for locking people out and discovering information that should not be discovered. Yes, the .mac implementation is asking for trouble with or without referer headers, but still...
    • Well, if you run a website, they're pretty useful for finding out how people are getting to your site, what they're searching for to get to it, seeing which big site is linking to you and sapping all your bandwidth, etc. etc. Those are just off the top of my head.

      Of course, the main reason is that, without referer logs, you'd never have sites like Disturbing Search Requests [weblogs.com].

    • They can be useful...

      1) If a page normally displayed within a frame set is navigated to from outside of the site it would not appear within the frame set. The page would be without its main form of site navigation.

      By checking the referrer header in javascript you can cause the page to be reloading within the frame set. This is one way you can repair frame sets.

      2) The referrer header allows a page author to see who is linking to him. A useful statistic.

      3) You can set up a redirect on your site so people linking from slashdot end up seeing google's cached version of your site so you don't get Slashdotted.

      Just some things of the top of my head, there are probably more legitimately useful things to use it for.
  • Apple and security (Score:4, Interesting)

    by theolein ( 316044 ) on Thursday July 25, 2002 @07:55AM (#3950599) Journal
    As other's have pointed out Apple will take some flak because of this because of the move to a subscription of $100/year for the .Mac stuff. Apple has been good about responding to security problems generally but they will also have to realise that the renewed popularity of the Mac and OSX is going to atract some "insects" to the light, so to speak. This is the same hole as Hotmail had about a year ago and Apple would be advised to wake up and be more careful in future.

    At MacFixit, the also point out that Apple's German version of the webmail service is so badly translated (archiv does not mean trash in English, Apple) and I find it Ironic that the info and post is on MacFixit, a site whose excellent service to the Mac community got it blacklisted by Apple at the last BS MacWorld NY.

    Once again Apple: wake the fuck up.
  • Hmmmm. (Score:4, Funny)

    by usr122122121 ( 563560 ) <usr122122121.braxtech@com> on Thursday July 25, 2002 @09:48AM (#3951159) Homepage
    Let me get this straight, Apple [apple.com] doesn't know how to use WebObjects [apple.com] correctly?

    Someone call Alanis Morissette, this is the real thing.

  • NOT a security hole. (Score:3, Informative)

    by Saithier ( 75915 ) on Thursday July 25, 2002 @11:49AM (#3952053)
    A little research is usually good, and a basic understanding of how WebObjects works usually helps. When you login to a webobjects app (webmail in this case) you get a unique session id that becomes part of the url and is passed to the app with every transaction. This is how it identifies the user. This session id is only used once. If the user logs out, and logs in again, they get a new session id. What is happening in this case is that whomever discovered this "security hole" copied the url to the email, did not logout of webmail, quit the browser (or opened a different one) and pasted the url in there, voila, the email shows up. However, if (s)he clicked the logout button before attempting to open the url it would not have worked. Try it yourself to verify if you don't believe me.

    Cheers
    • So if someone guesses the URL when I'm logged in, they can read my email. Less likely, but a security hole nonetheless
    • Well it may become more of an issue with HTTP_REFERER http header which is the URL the user was on before clicking a link.

      If a user reads a malicious e-mail i sent which has link to somewhere on my web server, if i happen to be tailing my logs at that very moment, chances are i can turn around and paste their referrer URL into my own browser and be reading their e-mail.

      But that's an issue with URL-based session persistence/authentication tracking overall. This should at the very least be coupled with checking against the user's IP address.

      But a Cookie-Based session persistence scheme would seem more appropriate/secure in this case.

      I do hope Apple also took care of client-side scripting vulnerabilities. mmMMm.

  • by BitGeek ( 19506 ) on Thursday July 25, 2002 @11:52AM (#3952078) Homepage
    Yet another excuse to Bash Apple.

    This is silly. First off, the URL is only valid for 15 minutes or so.

    Secondly, it is such an easy fix, I wouldn't be surprised to find out that it isn't already fixed and implemented. All they have to do is check the ip address of the machine making the request, or move to cookies for session info. Or, better yet, go to SSL.

    I can understand people being pissed about having to pay for ,Mac-- people are cheap SOBs in general. Including me. They misexecuted this one.

    But to have the highest moded post in this discussion being a straight out bash calling for Apple to "wake up" is absurd- and ignores the fact that they have long been delivering the best value for the money of any computer maker out there. They don't charge for iTunes,($30 worth), iMovie ($20 worth to me), Quicktime ($20 worth to me - I get pro features by writing my own player, the codecs are worth $20 to me easily.) iCal or iSync, $25 and $5 respectively. Mail.app, $25, Deve environment is worth $300, Sherlock3 is worth $30, iDVD $40 worth..... so in a sense, they've already paid for my first seven years of .Mac by giving me software worth that much *to me*. And I didn't even include iPhoto, or the FCP and Cinema tools discounts that I get for being a Mac user.

    If I'd had to buy that software retail it would have cost more than the values I've put down for it.

    If they continue to deliver free apps,and add value to the one's already out there -- something they've shown a willingness to do, then I continue to come out ahead.

    And to top it all off, if I wanted to, I didn't HAVE to pay for .Mac.

    The upgrade price of jaguar for current 10 users is a bit annoying, though. They add a lot and I understand why they're charging... but it should be $70 if you've already bought the box retail, as I have. (But, its easy for me to say since, as a developer, they'll send it to me anyway. Course that cost me $500, but this is just another $129 discount I'm getting, on top of the $2,000 in other discounts I've already gotten.)

    Apple treats its people well. Cheapscates will always whine when you try to charge for something that was free...while they happily use iTunes and don't pay for it and give it no value.

    Thats one downside to opensource-- its played into the pricing psychology discovered long ago. People will value something based on what you're asking for it. Ask $700 for a piece of software and they'll think its a great deal if they get it for $500. Ask $500 for the SAME SOFTWARE and they'll think its too expensive nad your sales are lower.

    Give away software for free, or internet services for free, and nobody pays for them-- which is why nobody's got a successful subscription service on the net (except for a couple situations.)

    Apple thought the added value of growing the userbase would offset the costs-- but it didn't, the costs were absurd, and so they are solving hte problem. Much as I hate to pay for .Mac, even though I'm getting a great deal at $50 and have lots of free software to balance it out, I would rather have them do this than have them eliminate the service.
    • This is silly. First off, the URL is only valid for 15 minutes or so.

      This does not make it OK, or a "lesser" offense. If you really think so, lend me your credit card number for 15 minutes, I'd like a new Mac myself.

  • by BlackBolt ( 595616 ) on Thursday July 25, 2002 @12:13PM (#3952228) Homepage Journal
    From - Tue Jul 23 13:10:54 2002
    X-Mozilla-Status: 0001
    X-Mozilla-Status2: 10800000
    Message-ID: 3D3C8A0B.3160711 @ mac.com
    Date: Tue, 23 Jul 2002 13:10:34 -0400
    From: SexySteve33 stevejobs@mac.com
    User-Agent: Mozilla/5.0 (MacOS6; U; en-US; rv:1.0.0) Gecko/20020530
    X-Accept-Language: en-us, en
    MIME-Version: 1.0
    To: "Michael Dell" bigcheez@dell.com
    Subject: Please UNSUBSCRIBE ME from your Mailing List
    Content-Type: multipart/mixed;
    boundary="------------080203142303090106000203"

    This is a multi-part message in MIME format.
    --------------080203142303090106000203
    C ontent-Type: text/plain; charset=us-ascii; format=flowed
    Content-Transfer-Encoding: 7bit

    Mister Dell,

    FOR THE THOUSANDTH TIME, "DUDE, I *AM NOT* GETTING A DELL"!! IF I SEE THAT STEVEN IDIOT ONE MORE TIME SMILING STUPIDLY AT ME FROM MY INBOX I'M GONNA SNAP! SPAM ME ONE MORE TIME AND I WILL COME DOWN THERE AND RAM YOUR GODDAMN "DULL LATIDUDE CRAPTOP" UP YOUR FAT WINTEL ASS!!

    NOW REMOVE ME FROM YOUR EMAIL LIST!!!!!!!!!!!!!!!!!!!!!!1

    I MEAN IT - YOU SEND ME ONE MORE DELL SPAM AND I'M SENDING YOU THE ENTIRE COLLECTION OF SWITCH ADS IN HIGH-QUALITY QUICKTIME FORMAT.

    Sincerely,
    Steve

    "Michael Dell" bigcheez@dell.com wrote:

    > How Would YOU feel behind the wheel of a brand new grey plastic laptop?
    > Dell has a special one-time only deal on our fiery hot new P4 laptops,
    > guaranteed to run twice as hot as the old ones!
    >
    > We see by your customer profile that you have never had the pleasure of owning
    > a Dell. We would like you to switch! Now is the time for us as a wonderful vendor
    > and you as a potential victim to get together and make sweet financial love.

    [snipped in disgust]

    BlackBolt
  • under the Freaking-out-over-FUD department.

    Just because you don't want to pay for it doesn't mean you have to spread ill-researched crap about it.

    I'm keeping mine because I like the features. Roughly $8/mo isn't much to ask.

  • Macfixit are now reporting that the security hole is fixed:

    Entering the URL of an e-mail message generated by .Mac's Webmail function on another computer now results in redirection to the .Mac home page; rather than displaying the private message.

    Apple is not alone is embedding a session key into the URL. Users should be aware that passing one such a URL will (at least for a short while) enable others to use their login.

  • Less than 24 hours later, this hole is now gone. Apple seems to be getting pretty good at coming out with fixes quickly.

    Here's MacFixIt [macfixit.com]'s summary:

    Apple has apparently resolved the potentially serious .Mac security hole we first reported yesterday.
    Entering the URL of an e-mail message generated by .Mac's Webmail function on another computer now results in redirection to the .Mac home page; rather than displaying the private message.
  • No doubt.

    Is Mac webmail encrypted?

To the landlord belongs the doorknobs.

Working...