A Little .Mac Security Flaw

deleuth writes "The de facto online connectivity software sold along with many Apple computers, .Mac, has a Web interface through which users can check their 'iDisk' while away from their own computer. However, there is no Log-Out button in this Web interface, so most users just close the browser and walk away... not realizing that their iDisk has been cached by the browser and that anyone who wants to can open up the browser, go back to the link in History, and get into their iDisk completely logged in. From here, files can be downloaded and/or deleted. This seems like a minor security flaw via bad interface design, and podcaster Klaatu (of thebadapples.info) posted this on the discussion.apple.com site, only to have his post removed by Apple. Furthermore, feedback at apple.com/feedback has gone unanswered. The problem remains: there is no way for the average computer user to log-out of their iDisk on public computers. A quick review of any public terminal's browser history could bring up all kinds of interesting things."

Apple's response?

Am I the only one that notices that Apple's response to every problem is a swift "let's delete this topic and pretend the problem doesn't exist"? .. Seems like bad business practise to me.

Re:Apple's response?

> Am I the only one that notices that Apple's response to every problem is a swift "let's delete this topic and pretend the problem doesn't exist"? .. Seems like bad business practise to me.

0H N0ES U DIDNT APPLE IS TEH PERFECT

A minor flaw? Tosh.

0H N0ES U DIDNT APPLE IS TEH PERFECT

Indeed; I'm somewhat amused that this is described as a "minor" security flaw in the summary and blamed on the user interface. If it was a Microsoft web site it would be described as a major flaw and the foaming at the mouth would begin. Nor is it a user interface problem; by using session cookies closing the browser would logout the user, with or without a logout button.

The site listed (but not linked [thebadapples.info]) in the summary doesn't describe the issue as minor, or a UI problem, so one can only assume that description comes from the summary author.

Re:A minor flaw? Tosh.

Indeed; I'm somewhat amused that this is described as a "minor" security flaw in the summary and blamed on the user interface. If it was a Microsoft web site it would be described as a major flaw and the foaming at the mouth would begin.

Macs make up about 3% of the computer using population. This means all flaws are minor.

 

Re:A minor flaw? Tosh.

Macs use computers?

And I thought it was over 5 percent now [macnn.com]...

Here's the thing. The only people that have to be worried are Mac users with a dot-mac account. I have an iMac but I wouldn't dream of getting .mac account. Seeing as it costs $99.95 for a year's membership [apple.com], and for that you get:

a place to share photos online (which I do for free with Photobucket)

your own personal web-space (which for personal use, Blogger does the job just fine for me)

email access anywhere, even on an iPhone (but the iPhone shows your regular ISP email anyway, which is set up the first time you plug your iPhone into your Mac thanks to the settings in the Mail program, and GMail is accessed anywhere with internet connectivity too)

remote access to your Mac (which I personally have never needed)

the ability to sync your favourite stuff to the computer you're using (my iGoogle page shows me all the stuff I usually bookmark on any computer I decide to log into Google ...and after that, I have the URLs in my head or I can search for the stuff I want, or just send the URLs in an email to my GMail account, stick a star on the email and sort by stars to find it quickly)

10GB of storage online for files (XDrive gives 5GB away for free, eSnips gies 5GB away for free, my photos on Photobucket, my videos that I want people to see on YouTube...) .Mac Groups (there are enough free options out there for whatever group I want to start or join ...Google Groups, browsing the old Usenet newsgroups using Thunderbird, etc.)

Online backup if I don't have OS X 10.5 Leopard (or I can just buy Leopard and get all the new-fangled doohickeys too)...

What's the point? It's the equivalent of when people had CompuServe in the early-to-mid 90s. They'd pay through the nose to use a proprietary web browser and get access to groups that only other CIS users could use. It's the internet for people that don't know what's out there for nowt, a gated net community.

Re:A minor flaw? Tosh.

"What's the point? It's the equivalent of when people had CompuServe in the early-to-mid 90s. They'd pay through the nose to use a proprietary web browser and get access to groups that only other CIS users could use. It's the internet for people that don't know what's out there for nowt, a gated net community."

hmmm...sounds familiar...what was the name of that?

Ah, Oh weLl.

I can't remember right now.

Re:A minor flaw? Tosh.

So the sequence is IF you use a Mac and IF you're a .Mac member and IF you use iDisk and IF you check your iDisk from a public browser THEN someone could potentially access those files.

Sorry, but the aggregate of all of those conditions is probably 0.000001%. Is it a problem? Yes? A major flaw? No. Worth discussing? Hardly. Check 100,000 public terminals and will you find one instance of the problem? Doubtful. In fact, I'd say that the fact that we're just now discovering the issue five years after .Mac and iDisk premired illustrates more than anything else as to just how "significant" it may be.

Should it be fixed? Sure.

As to your commments, I'm pretty sure I've ever seen anyone at anytime claim that Apple or Mac or OS X or the iPod or the iPhone is "PERFECT". Better, perhaps, but perfect? Nope. One has only to look at the tech notes and Software Updates to realize that. As such your entire anti-fanboi rant is pretty much just a strawman setup so you can knock him down, and pat yourself on the back in the process.

A better issue would have been followed from "A quick review of any public terminal's browser history could bring up all kinds of interesting things." Like failing to log out of Gmail or an Amazon account. But no. We have to do yet another Apple vs. Microsoft vs. Linux flamewar. Guess it's another slow Sunday at /..

Finally, the summary says, "feedback at apple.com/feedback has gone unanswered"... which is ALWAYS the case. It's a feedback site. It says feedback will be unanswered. To quote, "We read all feedback carefully, but please note that we cannot respond to the comments you submit." But again no, we have to make sure it looks like Apple is ignoring the "problem".

Re:A minor flaw? Tosh.

Do I ask myself questions and then immediately answer them? Yes.

When Will Apple Learn

I am an new Apple user. And reasonably happy.

However, there is one thing that I am very troubled by and it is simply this: Apple apparent arrogance and ignorance when it comes to security.

Apple has enjoyed a "blanket" of security because it is low profile and a niche. However, as its market share and mind share expands, this period of respite will soon fade.

You would think that, during this time, Apple would have used the opportunity to develop and internal culture, policies and procedures, as well as infrastructure for dealing effectively with security issues. However, the complete opposite appears to be the case.

Apple has failed miserably to publicly and actively address such issues. It also fails to respond in anything that could be called a rapid manner to reports of exploitable security holes. Taking actions such as deleting posts that point out security problems makes the situation worse, not better. Failing to publicly document the existence, status and nature of defects makes the situation worse, not better. Being secretive makes the situation worse, not better.

Apple makes decent hardware. Leopard is very nice to use, though far from perfect. The whole ecosystem and vertical integration is nice. However, the whole thing could come crashing down because of a serious security flaw. If people think Microsoft is susceptible to such a scenario, the Apple empire is even more so.

It's not a question of if, but when. Will Apple be prepared? So far, all signs point to "NO".

PS... the CAPTCHA word for this post was "condom".. how appropriate considering the whole point is to have a good profolactic. A good metaphore for Apple's current approach to security.

No, incident does prove Apple is lacking ...

Huh? You seem to have conflated their corporate policy, which is sometimes very stupid, with their security policy, which is generally good. The two have nothing to do with each other. Apple's overzealous moderation of their own forums is well known, and unfortunate. But it has nothing to do with how well they manage their OS security and how well they respond to exploits.

You are very mistaken, this incident does prove that Apple's security policies and responses are indeed lacking. Don't get fixated on the deletion of a post, consider that they did not respond by adding a logout option to a *web* interface.

Re:No, incident does prove Apple is lacking ...

You realize that the post was probably deleted by someone in poorly-trained low level support monkeys, right?

Apple has a bug reporting system and an email for security issues. Use them, not the forums, if you want to make sure the post is actually evaluated by someone with understanding of... well, anything technical.

Re:No, incident does prove Apple is lacking ...

The few times I have submitted comments/bugs to the ADC bugreport email address, I've always received an answer back (even if it's "we're working on it"). The first time it happened I was completely shocked - it was a real email written by a real person with a real answer. Brilliant.

Re:No, incident does prove Apple is lacking ...

I've used the same email address too - and while I haven't received a personal response I have a vouched-for 'friend of a friend' who works there and she _was_ able to check it out and found that my email _was_ read and considered.

Her response _also_ repeated the point that Apple (quite naturally) prefers receiving bugreports through the proper (secure) channels and not having to cull them from unrestricted forum postings.

Re:No, incident does prove Apple is lacking ...

You are very mistaken, this incident does prove that Apple's security policies and responses are indeed lacking. Don't get fixated on the deletion of a post, consider that they did not respond by adding a logout option to a *web* interface.

How? What is the causal connection? Unless you have specific information about Apple's internal organization, and the relationship between the people who admin their forums and the people who work on OS security, the only connection is the one in your mind. Apple is not a monolithic entity with the ever-vigilant head of Steve Jobs on constant watch. It's a large corporation with multiple divisions, each of which has their regions of control and expertise. The decision to nuke posts about a security flaw, while stupid and short-sighted, does not immediately mean that Apple's OS security people are lax or lazy. They may be working on a fix already. They may not. They may roll it out in a week. They may not. And an article may appear tomorrow which proves that this security "flaw" was vastly overrated and is not that serious.

If you wanted to critique Apple's security prowess you could compile a list of known security flaws, with their severity and a list of how long it took Apple to patch them. That would be a logically constructed argument. However, this is Slashdot, so I won't hold my breath. This is the same lax "logic" which leads to a lot of the Microsoft bashing around here, and it looks stupid no matter which way it's pointed.

Re:No, incident does prove Apple is lacking ...

You claim that what forum admins do is unrelated to security. That is mistaken. Either a forum admin failed to report a security issue or they forum admin reported it and no one felt the need to update a *web interface* in a timely manner. Either scenario indicates that something is lacking at Apple.

Or it indicates that user forums are not the place to report security flaws, and that user forum administrators are in no way able to evaluate what is a stupid user error vs what is an actual security issue across the hundreds of different hardware and software combinations Apple offers. If you think every forum post should simply be echoed to the bug tracker, that's your prerogative, but it seems to be a great way to waste a lot of the qualified bug-squashers' time.

Re:No, incident does prove Apple is lacking ...

If their security folks weren't lax and/or lazy there would be a well known and well understood process within Apple for all the divisions to follow when a possibly security flaw was reported. The process should include tracking, reporting, and escalation procedures to ensure that big things don't get categorized as small things and overlooked.

There is a well known and well understood process, it's called bugreporter.apple.com. The process does include tracking, reporting, and escalation procedures to ensure that big things don't get categorized as small things and overlooked.

What you're complaining about is that random forum administrators don't have the responsibility, time or technical ability to personally evaluate every forum post for whether it contains a bug or a security flaw as opposed to a stupid user error.

Re:When Will Apple Learn

Don't they just order and piece together hardware just like joe shmoe's computer shop would?

No, they don't. That's why the MacBook Pro is thinner and lighter than machines from other vendors with comparable performance specs, for example.

-jcr

Re:When Will Apple Learn

Apple has enjoyed a "blanket" of security because it is low profile and a niche. However, as its market share and mind share expands, this period of respite will soon fade.

You would think that, during this time, Apple would have used the opportunity to develop and internal culture, policies and procedures, as well as infrastructure for dealing effectively with security issues. However, the complete opposite appears to be the case.

Apple has failed miserably to publicly and actively address such issues. It also fails to respond in anything that could be called a rapid manner to reports of exploitable security holes. Taking actions such as deleting posts that point out security problems makes the situation worse, not better. Failing to publicly document the existence, status and nature of defects makes the situation worse, not better. Being secretive makes the situation worse, not better.

You are incorrect in so many ways, I find it hard to begin.

1. There is no proof what so ever that Apple's install base is the reason Macs are more secure than Windows. Having network servers off by default and having a default web browser that doesn't run code written in C++, visual basic, and whatever the hell else ActiveX supports these days to be FAR more important than the install base. There are reasons that in the past, if you took a Windows computer out of a brand new box, hooked up via a DSL or Cable modem that your machine was hacked before you were finished logging in for the first time, and it isn't because of the installed base (you do remember that don't you). The Windows machine has active network servers running.

2. Apple doesn't ignore security updates and issues. They fix them. Sometimes even before someone posts about them. If you don't like their update schedule and want Apache or whatnot to be running up-to-date you can install from the CVS just like the Linux and BSD people do. To me it's like saying Red hat doesn't respond rapidly to security holes. If you want a day zero fix, update from CVS. For the common user all of this is irrelevant, since their default install isn't listening to network traffic. Apple has also included other under the hood improvements, just like all other venders, to minimize the risk of buffer over flows.

I'm sorry, Apple's not walking some kind of security minefield just getting lucky all the time. Just like Linux isn't. Unix style security just works very well and is easy to manage. Your computer isn't magic, there's a reason why Microsoft's operating systems are getting owned all the time. There are a LOT of reasons for this, most of them boil down to bad default installs and the environment Microsoft has created within it's developer community. An environment that fosters laziness and has typically done very little to stop their bad practices. Things like making applications that require the admin to be login in order to run. Which in turn leads to the floor level tech just giving everyone admin access.

You computer is not made of magic, there are reasons Microsoft's operating systems suck and people complain about them and it's not because they are "not Apple and have a small install base".

Re:When Will Apple Learn

However, there is one thing that I am very troubled by and it is simply this: Apple apparent arrogance and ignorance when it comes to security.

Apple is a mixed bag when it comes to security. They have employees they acquired from other companies specializing in Web technologies, graphics, video, and numerous other topics, as well as old-school Apple employees many of whom do not take security seriously enough. On the other hand they have all the Next employees and all the old-school Unix guys they've hired on to manage the guts, who live and breath security. As a result, in some ways Apple is way ahead of the game for security (like with their new sandboxing and signing frameworks in Leopard) and in others they seem oblivious. I can't think of another consumer desktop oriented OS that ships with so few services running, and with almost all of those sandboxed. Then you get to other things Apple, like some of their userland applications and Web services and you wonder that the same company could produce both of them. Apple is pretty schizo in this regard.

Apple has enjoyed a "blanket" of security because it is low profile and a niche. However, as its market share and mind share expands, this period of respite will soon fade.

I disagree. Apple is a juicy target for exploitation for many reasons. They are less likely to be exploited due to a number of market and social factors, but in general, Apple's security has been fairly sound and that is why they are not worm food. Further, I don't see Apple's security record becoming poor in the future. Apple, Linux, Solaris, etc. all have one major thing that will keep them more secure than Windows is today... motivation. If Apple's security starts to fail for their users, Apple loses money as they move away. Thus, Apple has direct financial motivation to fix the problem, and they will. This is the advantage of a free market. Microsoft, however, has a monopoly, so even when their users are screaming out for better security, MS loses very few, if any, if they ignore their customers and focus instead on locking in a new market and this latter action will make them more money. They have direct financial motivation to do little more than provide the appearance that they are doing something security-wise, and that is what they keep delivering.

You would think that, during this time, Apple would have used the opportunity to develop and internal culture, policies and procedures, as well as infrastructure for dealing effectively with security issues. However, the complete opposite appears to be the case. Apple has failed miserably to publicly and actively address such issues. It also fails to respond in anything that could be called a rapid manner to reports of exploitable security holes. Taking actions such as deleting posts that point out security problems makes the situation worse, not better. Failing to publicly document the existence, status and nature of defects makes the situation worse, not better. Being secretive makes the situation worse, not better.

Here is my experience with Apple's security response. My co-worker found a potentially exploitable hole in OS X. He went to Apple's Web site and reported it as a security bug in the bug report section, not commenting the forums that are for users not Apple employees. Apple sent him a message a few days later saying they'd look into it. A few weeks later the next security update for OS X came out and fixed the problem, including crediting my co-worker with discovering it. It was painless and quite rapid for that large of a project, considering the time for research, coding a fix, testing, and rollout, in fact a lot faster than our average response time to that same priority of bug (and we sell much more critical security devices). From everything I've seen, Apple responds fairly quickly to security issues reported to them and the only instances where there are major problems are where researchers refuse to give Apple details before p

Other Apple security controversy

The Reg is currently questioning Apple's approach even in addressing well-known security vulnerabilities that it has actually acknowledged:

http://www.theregister.co.uk/2007/12/15/apple_security_fixes/ [theregister.co.uk]

Slant much?

I love how this is a "little", "minor" security flaw, and even though Apple actively deleted the post exposing this information nobody's really up in arms as it's just due to "bad interface design". If this were a Microsoft property, people would be screaming bloody murder.

Clear private data

Tools > Clear Private Data in Firefox is the option you need.

Not having a log out button is bad design but many people forget to click them, you need a decent timeout to reduce the risk for those that don't log out.

Does this system keep you logged in (via cookies) if you close the browser and restart it? If so that's a very bad design.

Re:Clear private data

2. Slashdot keeps you logged in if you close the browser and restart it.. is that a bad design?

Slashdot has a "public" option. If you click that when you log in, your login state is only stored for the session and freed when you close the browser.

3. Many other sites do too.. it's called convenience.

Many other sites also implement a "public" mode like Slashdot has. Just as two other examples, Microsoft's Outlook Web Access (OWA) lets you choose "public" or "private" when you login, and Microsoft's Passport/Windows Live ID gives you the option to save email + password, just email, or nothing (the latter two are effectively session-only logins, as you still need the user's password in order to login subsequently). As well, every other site also has the ability to logout, which .Mac is missing.

Otherwise, yes, you're right a decent timeout is a good idea.. but what is "decent"? Sounds pretty subjective.

A "decent timeout" is trivially simple -- mark your cookie only valid for the current session (aka, use a "session cookie"). This is at odds with persistent login designs, so you have to give users the option -- login with a session cookie ("public terminal") that will expire when you close the browser, or login with a persistent cookie ("private terminal") that will remain valid for some period of time. If you only choose the latter, like .Mac, you must also provide a "logout" option. Anything less is a security violation.

Security Through Obscurity

podcaster Klaatu (of thebadapples.info) posted this on the discussion.apple.com site, only to have his post removed by Apple.

Ah, well, see, so long as Apple makes sure no knows about this, it won't be a problem. Surly everyone on Slashdot sees the validity of this strategy. (God I love my sig)

Huh?

After accessing your iDisk in Firefox:

• Tools -> Clear Private Data"

In Safari:

• Safari -> Reset Safari

Or if you remember to do so before visiting .Mac's iDisk page:

• Safari -> Private Browsing

Problem solved.

So yes, there are ways for the average user to log-out of their iDisk from a public terminal. They just simply have to use the existing facilities at their disposal.

Yaz.

Re:Huh?

The whole problem is that they're not concerned about security. Most security measures are because users aren't concerned about security. They get really concerned when they find out someone's taken all their stuff, but that's a different subject.

Anyway, as computer nerds, we're supposed to be concerned about computer security. Most people aren't. They have their own concerns. I'm glad that they're around to look after other things, so I don't have to be concerned about my bank running out of money, or my medication not being poisoned, or my car falling apart while I drive it, or all those nice other things that could be a really big problem if there weren't people making sure we were safe.

Anyway, a good computer security example is antivirus software. I stay the hell away from the stuff, it's slow and buggy and bogs down my system more than most viruses do. On linux, it's not an issue since security issues there are better handled by better configuration and monitoring, and on my windows box I just use manual system/network diagnostic tools to keep an eye on it and fix whatever's needed.

Does that mean I recommend the same to my friends? Hell no! I make sure they always run both a good antivirus and a firewall at all times. Otherwise they get viruses constantly. They just don't have the background to understand what they should and shouldn't do to avoid the things, not to mention the lack of skill necessary to deal with viruses as they come.

My friends aren't stupid (most of them anyway), it's just not what they do. They use computers as tools to get things done, and if they're not making it safe and easy to do the work they want, then the computers aren't working right. That's just how it is, and that's why services that allow people to use public terminals need to be built from the ground up to make it secure to use a public terminal.

You'd think Apple of all people (er, companies) would understand the need to make the right interface for different kinds of applications. Well, maybe I'm thinking back to the Eighties, way before their brushed metal/colorful candy era. If I had my way, they'd have canonized Raskin by now.

Re:Huh?

That's great and all, but it doesn't change the fact that (a) any web interface with confidential or private information should have an obvious method of logging out that doesn't require specific knowledge about how to delete cookies for a certain browser/applicationn, and (b) Apple is yet again ignoring and censoring users who are pointing out this flaw.

i agree. but fyi, i just did this with my own idisk account. if you quit the browser, then you cannot get back to the idisk interface without a password prompt. there should be a log-out function, but it's not as if it's impossible to end the session.

Re:Huh?

Of course its a toss up if an average user would use a log off button

That's why all bank sites I know log you out if you are inactive for a while. Seems like a good idea.

another security aspect

Is the iDisk connection encrypted, or is it wide open?

This sounds like a job that some sort of graphical SSH frontend could do better. (since OS X has ssh support built in)

In other news...

Slashdot editor kdawson and Slashdot submitter deleuth mysteriously disappear...

Re:In other news...

Slashdot editor kdawson and Slashdot submitter deleuth mysteriously disappear...

I don't know about M. deleuth, but if Apple's Reality Distortion Field(R) can make kdsawson disappear, I'm buying another Mac. Maybe two.

That's interesting

I've never noticed that before. Probably because desktop WebDav on OS X is so slow that I just use dedicated client apps. The poster isn't being perfectly clear on the whole process for accessing your iDisk via dot mac. Here's how it goes. You sign into dot mac, then you sign into your iDisk. Same username, same password for both. You get a web page that access your WebDav folder on Apple's servers. Signing out of dot mac doesn't sign you out of the iDisk. A simple history check pulls it right back up with full write access to your iDisk (clearly not from web cache). No one would expect that behavior. I would assume there is a network idle time out, as dotmac has.

In real experience terms, this isn't going to be much of an issue until it's fixed, but does put a small stain on the portability of the service. Which is one of Apples main advertising points for it. Gotta remember though, Apple, like all other companies is filled with a lot of people. There are moderators on Apple forums, for all we know one of them removed it then notified management of the problem and it's working it's way up the command. It's not like Steve Jobs read it and said, "OMGWTFBBQ!?!?! PULL THAT NOW!".

Though, the extra publicity will help.

Just another hit against Apple...

Yet another incident where Apple blatantly ignores the customers they claim to value so much...and they will likely continue to do so until there's such a shitstorm about this that they have no choice but to respond. Apple used to be a good company...ten years ago. Now they're just as bad (if not worse, in many regards) as every other IT giant out there. Sad.

How many people actually use iDisk?

My mother uses a Mac so I was interested in making sure she doesn't get pwned. I never heard of iDisk so I checked it out.

.Mac iDisk lets you store, access, and share large files with drag-and-drop simplicity. And with ample online storage, even huge files are no problem.

It sounds neat but mom isn't going to use it. My way to do the same thing is just to ssh to my desktop at work and do whatever. So, I wouldn't use something like iDisk. It is also neat that you can share large files with your buddies. otoh, people can share movies online without iDisk.

So, my question is, how many people actually use iDisk? How much of a problem is this actually.

Re:How many people actually use iDisk?

So, my question is, how many people actually use iDisk? How much of a problem is this actually.

actually, i use it all the time. it's a very convenient way for me to let clients download files. i have a hosting account with a traditional host as well, but i never went through the trouble of making/figuring out a nice-looking interface for my clients to use. with idisk i throw them into the public folder, then log into the web interface to set-up/edit their download page. obviously, this isn't great for confidential information, but i rarely deal with stuff that sensitive. i also host one of my personal websites on .mac. i will say however that i don't use the finder's idisk implementation nor do i manage the input/output of my files on the web. i just ftp into my idisk and then deal with the interface afterwards. ftp is much faster than the native interface. but i do find idisk to be really convenient in my particular case.

The Cult of the Mac

If you suppress bad news, it doesn't exist!

Apple stealing from MS?

First, Apple, stole the syntax from MS. Now they're implementing unsafe computing practices. What next, EEE?

Wait, what??

No SSH session for transmission of personal data, and reliable logout for protection? Insane security practice from a now UNIX-certified OS vendor, especially when it comes to something so private as the transfer of one's hard disk contents to an internet backup? Ah well, it was bound to happen, and it has probably happened in the past, and will likely happen again in the future. Anyone can slip up.

You are a heretic, sir!

Anyone can slip up.

Ah, but this is Slashdot, where corporations are composed of primordial evil and capitalism is the beefy fart of the Devil. Every slip up is cause for running to the hills to prepare revolutionary strikes, and then run to the other hills and plan counter-revolutionary terror, and we all run around like decapitated chickens shouting comforting mantras like "Information wants to be free!" and "It am teh suk!"

My testing

This story is stupid.

Step 1: Log into .Mac at mac.com - notice big LOG OUT text button on the top right
Step 2: Click to go to my iDisk - iDisk pops up in a new window
Step 3: Finish using iDisk, close window
Step 4: Click the big LOG OUT text button

dotMac also times out after 30 minutes and forces a re-authentication.

In other news, your computer is broadcasting an IP Address RIGHT NOW.

Re:My testing

According to this post [slashdot.org], signing out of .Mac doesn't actually sign you out of the iDisk.

Re:My testing

Step 5. Notice that clicking the big LOG OUT button doesn't affect iDisk.

This just in!

If you let someone have full access to your computer, they can delete personal files and directories! News at 11!

Minor issue.

Really, if the public terminal isn't configured to automatically clear the data when the person has finished there's a problem.

Browser Sessions

I thought that session cookies died when the browser window closed - or does .Mac use URL rewriting?

An Apple a day...

That's why I "like" Apple.
If you don't like something about them, it's you who is wrong.
And now, if you suspect/have proved a security flaw, you still are on the wrong side of things.

Microsoft locks you in to software, leaving hardware selection free, Apple locks you in completely. Now tell me who's worse.

iDisk data is unencrypted anyway

A far more pressing concern is that data is transmitted to and from your iDisk insecurely [taoofmac.com]. No one should be storing any sensitive data on their iDisk.

Apple hides the problems, or ?

I wonder if this article is about how Apple is sweeping problems like dust, under the carpet. Sounds very Microsoft'ish. However, it's also very likely that Apple really takes care of those problems, but I don't understand why to hide them as if they didn't exist at all.

Does it use cookies?

The problem remains: there is no way for the average computer user to log-out of their iDisk on public computers.

If it uses cookies, you could delete all cookies before you leave.

Logout for HTTP Basic Authentication

This sounds like an opportunity for Apple to add a logout feature for HTTP Basic authentication to their browser. After all, they control both the browser and .mac; they can make this work. I've never understood why there is no logout feature for HTTP Basic authentication.

I don't know if .mac actually uses HTTP Basic auth for authentication (if I were to guess I would guess not), but still.

This is NOT a security flaw!

If someone has physical access to your machine, you're completely screwed 5 ways from Sunday REGARDLESS of the access controls in place. There is NO protection from such an attack. Consider the situation where the site did require a login: the person who gains access to your machine then installs a keylogger and steals your password. SAME conclusion. The key concept here is that no security is invulnerable once you lose control of the hardware. The RIAA and MPAA have been learning this lesson for the past few years. The only way to secure your data, is to encrypt it and carry the security token which holds the decryption hardware and/or key with you. Given enough brute-force or cryptanalysis, even this solution is vulnerable. Some future advancements in security might solve this fundamental problem, but given current knowledge it's simply impossible. In conclusion, the design of Apple's iDrive service is not a security flaw.

What?

This whole article seems to be based on the lack of a "log out" button, except... there is a log out button!

Here's a screenshot [mac.com]

It's right there in the top right.

2cents

In Firefox: Ctrl+Shift+Del = solves problem In Internet Explorer: Tools --> Delete Browsing History = also solves problem.

But wait...

I though all Macs were used for doing some graphics. How risky can it be?

(/sarcasm)

There is in fact a logout button. Top right.

Right next to your username.

They deserve it

If someone uses a public computer to access their private data, typing in their user names and passwords and don't know how to clear the browser's cache and other private data they deserve everything they get. People should know what is private and what is public and why things are behind authentication access control screens. People who think they are safe because they killed the browser instance, would have left their mail accounts bank accounts and other things vulnerable too. The malefactor has these tempting fruits, they are not going to be trudging through the hard disk looking for useless stuff.

It is no different from leaving the house open and blaming the manufacturer of your dining table manufacturer for not protecting against this possible scenario.

Am I the only one who thought George B. McClellan?

I saw the title, "A Little .Mac Security Flaw", and immediately thought of the campaign song of George B. McClellan when he challenged Abe Lincoln in the 1864 presidential primary. His campaign song began with the lines: "Little Mac, Little Mac, You're the very man, go down to Washington soon as you can." and no, it's not because I'm a history maven or Civil War buff. When I was a kid I had a record, "Huckleberry Hound for President", built around Huckleberry Hound running for president, and one of the things they did was go through old presidential campaign songs looking for something to use for Huckleberry.

The things that stick in your head from when you're a kid.

De facto what?

I think that "de facto standard" is undergoing the same illiteracy shift as "treasure trove" did, where people don't understand how to parse the phrase, mistake the noun for the adjective and vice versa, and start using the adjective as if it were the noun. Please, help fight this shift in the language. "De facto" is a much more important term than "trove" ever was, so it's essential to our continued ability to communicate effectively that it not lose its meaning and come to just mean "standard." Thank you for your support.

Mac zellots : RTFA

People keep saying '.mac has a logout button' and 'you can just click here and here to delete your cookies'. That's not the story! The idisk software is lacking a logout button, it is PART of .mac, not .mac. And if you didn't get that from reading the article, surely you understood it from reading other posts. In their rush to defend the indefensible, they blew past the article and and said something that is arguably moronic.

Before you mod me troll or flamebait, it's just an observation not an attack on anyone.

Is it fixed yet?

function logout() { // kill cookie / session } (yes I know Jscript is a poor choice of language here, I am simply proving a point) In the time it has taken me to read this thread, this issue could have been fixed. As a mac user, I am very disappointed in such a simple, yet potentially deadly flaw. I am even more disappointed in the forum admin deleting the thread. I am even more disappointed in the posters on /. who are defending this, simply because it happened to "our side". This should have been fixed within an hour of being reported. My clients are much, much smaller than Apple, and they have far better web security than this. Simply unacceptable. Bad timing too. I was considering upgrading to Leopard, and paying for a .mac to use remote backup. Now I wonder how secure my data would be. More damaging: I don't trust this company to tell me if a problem appears.

Funny Apple-Store exercise...

Because I am a mean old man, on at least one occasion I have visited the Apple store only to find someone has used their personal iChat login on a machine...

How does this make me a mean old man?

When I find that mistake has been made, I delete all their buddies from their buddy list before closing iChat.

I have to admit, I never thought of looking for .mac history elements, but I am not sure I am mean enough to delete all of someones stored files...

Though I have considered sending (but have never sent) "I hate you, never talk to me again you lying slut" messages to the iChat buddies first.

I am trying to educate little darlings, but telling there buddies to fuck off would prevent the lesson from spreading...

The can of worms...

There's many classes of related problems here.

You have sessions that are not terminated explicitly when the user leaves the work area. Leaving yourself logged in has been a problem as long as there's been remotely accessed computers. I remember sitting around in the computer center in the dark back in the '70s because the mainframe we were using automatically resumed checkpointed jobs and the computer center had a policy of not terminating them for power outages less than some period of time.

You have reusable authentication tokens or session IDs that aren't automatically revoked.

These combined are a common problem thanks to the statelessness of the web.

Adding to that the inability to explicitly log out?

Not good.

On the other hand, using shared devices with non-trivial persistent state is also a problem. At Usenix one year the word went out that everyone who had used Kerberos logins at the Usenix terminal room should change their passwords, because they'd found some trapdoored Kerberos software on a terminal there. As originally designed, Kerberos was meant to be used with workstations that were trivially re-imaged over the network... they had no persistent state. Now whether Athena workstations were really used that way or not, I don't know, I wasn't at MIT... but the intent was that they be treated as dataless workstations.

Any system running a web browser, unless it's operated by someone you trust and either re-imaged before you use it or locked down so that even a local attacker using the browser can't initiate a remote execution exploit on it, is not sufficiently secure that you should be trusting it with passwords or other authentication tokens that can be used to access any resources that you actually care about.

If Apple wanted to really attack security here, then the .Mac login screen would have a warning against using it from any location where this exploit was possible in the first place, and you would be able to indicate that you were working from an untrusted location, and if so you would be automatically prompted for your password after what most people would consider an annoyingly short period of inactivity...

And track IP addresses, so if you log on from an IP address that someone else had used, you got put in this mode automatically.

But, really, shared computers ... particularly at public locations ... really shouldn't be used for anything more than googling restaurants and browsing wikipedia.

Obligatory

Klaatu barada nikto!

Deleting comments

We don't know if Apple REALLY removed comments, or if this guy is just claiming they did. Secondly, we don't know the content of his comments. Perhaps they were vile and inappropriate and/or non-contructive? I'm trying to find more "proof" of this claim, but there is nothing linked in this /. "story". There's always a second side to the story as they say...

Could someone try it?

What a minute, I've looked through all of the 4 mod level posts here, and I see defenses and attacks on apple, but has anyone actually bothered to try this?

• I open up Firefox.
• I go to http://idisk.mac.com/myawesomeusername [mac.com] ...
• I enter my username, I enter my password.
• I look around for a bit. There are no logout buttons, that is true. I can view or download this or that file, blah blah blah.
• I close Firefox.
• Then, I open up Firefox again.
• I go to http://idisk.mac.com/myawesomeusername [mac.com] again ...
• I also go to http://idisk.mac.com/myawesomeusername?view=web [mac.com] ...
• It asks for my username, password, again, in either case. When I decline to enter it, it tells me "unauthorized" and sends me on my merry way.

So... what the hell? Of course, what is a little more serious is that this data is all being sent plaintext, but the story as posted doesn't seem to be true, at least based on my casual test.

Also, isn't it considered good form to bother providing a link to the story we're summarizing? I know this is slashdot and no one bothers to read the text anyway, but for those that do, having to copy/paste URLs and browsing the site for the story being discussed is kind of stupid.

Looks like you can log out

If you look at any Finder window, you have a bar on the left hand side. If you right-click on the iDisk icon, you get a pulldown menu with the Eject option...
At least this works for my own iDisk on my own Mac.
If you don't see the bar on the left, you should activate it with the tiny rounded-rectangle button on the upper right of the Finder window.

Is it just me or is this article wrong

I didn't buy it so I tried it. I opened Safari and connected to my iDisk on the web. I quit Safari and went into history and I was asked for a password. I guess had I not quit safari and the session had not timed out, maybe then but I think I could run into that on Amazon! Am I missing something? Maybe that is why Apple deleted the posting because it was wrong! Just a thought?

Re:quix fix

Didn't you skip

step 0. Boot Linux from USB.

?

Assuming firefox will only use ramdisk for it's cache, of course...

Re:The price of popularity

...chuckling not only at the security issues that are popping up, but at Apple's reaction to all of them.

I've been working in the security industry for years. I've submitted bugs to Apple, MS, and various Linux and BSD projects. Apple's reaction to such submissions has been better than average. For the most part, they seem to acknowledge security related bugs and fix them before they are exploited, including providing credit to the bug reporter. I guess what I'm saying is, if you're judging "Apple's" response to security related bugs, maybe looking at how they handle problems reported to them through their publicly accessible bug reporting system is a better measuring stick, than looking at how they handle posts in forums. Not that I approve of censoring their forums, it just doesn't seem to be an important aspect of how they respond with regard to security. Not to sound like an Apple fan or anything, but I've frankly been impressed by Apple's quick turnaround on serious bugs.

Re:Perspective

Way to not read TFS, let alone TFA! The issue is not someone having access to your computer; the issue is logging onto your iDisk remotely from a public computer, and not being able to log out. This allows someone to track back through the browser history, and access your iDisk with your login credentials.

-Mike

Re:not a problem if you enable Private Browsing in

not a problem if you enable Private Browsing in Safari

Private browsing means no cookies, no history, no downloads window/history. It is a bit overkill instead of Apple fixing the issue themselves. Also all should remember .Mac is not a free service, it is a very expensive online service.

(From Safari Help)
When private browsing is turned on:

Webpages are not added to the history list.

The Downloads window is cleared so the name of anything you downloaded won't appear in the list. (To get rid of the downloaded item itself, you must delete it.)

Information isn't saved for AutoFill, including names and passwords.

Searches are not added to the pop-up menu in the Google search field.

Cookies are deleted.