A Little .Mac Security Flaw

deleuth writes "The de facto online connectivity software sold along with many Apple computers, .Mac, has a Web interface through which users can check their 'iDisk' while away from their own computer. However, there is no Log-Out button in this Web interface, so most users just close the browser and walk away... not realizing that their iDisk has been cached by the browser and that anyone who wants to can open up the browser, go back to the link in History, and get into their iDisk completely logged in. From here, files can be downloaded and/or deleted. This seems like a minor security flaw via bad interface design, and podcaster Klaatu (of thebadapples.info) posted this on the discussion.apple.com site, only to have his post removed by Apple. Furthermore, feedback at apple.com/feedback has gone unanswered. The problem remains: there is no way for the average computer user to log-out of their iDisk on public computers. A quick review of any public terminal's browser history could bring up all kinds of interesting things."

Clear private data

[linuxci]

Tools > Clear Private Data in Firefox is the option you need.

Not having a log out button is bad design but many people forget to click them, you need a decent timeout to reduce the risk for those that don't log out.

Does this system keep you logged in (via cookies) if you close the browser and restart it? If so that's a very bad design.

another security aspect

[pwizard2]

Is the iDisk connection encrypted, or is it wide open?

This sounds like a job that some sort of graphical SSH frontend could do better. (since OS X has ssh support built in)

That's interesting

[Auckerman]

I've never noticed that before. Probably because desktop WebDav on OS X is so slow that I just use dedicated client apps. The poster isn't being perfectly clear on the whole process for accessing your iDisk via dot mac. Here's how it goes. You sign into dot mac, then you sign into your iDisk. Same username, same password for both. You get a web page that access your WebDav folder on Apple's servers. Signing out of dot mac doesn't sign you out of the iDisk. A simple history check pulls it right back up with full write access to your iDisk (clearly not from web cache). No one would expect that behavior. I would assume there is a network idle time out, as dotmac has.

In real experience terms, this isn't going to be much of an issue until it's fixed, but does put a small stain on the portability of the service. Which is one of Apples main advertising points for it. Gotta remember though, Apple, like all other companies is filled with a lot of people. There are moderators on Apple forums, for all we know one of them removed it then notified management of the problem and it's working it's way up the command. It's not like Steve Jobs read it and said, "OMGWTFBBQ!?!?! PULL THAT NOW!".

Though, the extra publicity will help.

Re:Huh?

[Shifuimam]

That's great and all, but it doesn't change the fact that (a) any web interface with confidential or private information should have an obvious method of logging out that doesn't require specific knowledge about how to delete cookies for a certain browser/applicationn, and (b) Apple is yet again ignoring and censoring users who are pointing out this flaw.

Re:How many people actually use iDisk?

[admactanium]

So, my question is, how many people actually use iDisk? How much of a problem is this actually.

actually, i use it all the time. it's a very convenient way for me to let clients download files. i have a hosting account with a traditional host as well, but i never went through the trouble of making/figuring out a nice-looking interface for my clients to use. with idisk i throw them into the public folder, then log into the web interface to set-up/edit their download page. obviously, this isn't great for confidential information, but i rarely deal with stuff that sensitive. i also host one of my personal websites on .mac. i will say however that i don't use the finder's idisk implementation nor do i manage the input/output of my files on the web. i just ftp into my idisk and then deal with the interface afterwards. ftp is much faster than the native interface. but i do find idisk to be really convenient in my particular case.

Wait, what??

[Khyber]

No SSH session for transmission of personal data, and reliable logout for protection? Insane security practice from a now UNIX-certified OS vendor, especially when it comes to something so private as the transfer of one's hard disk contents to an internet backup? Ah well, it was bound to happen, and it has probably happened in the past, and will likely happen again in the future. Anyone can slip up.

Re:When Will Apple Learn

[TomHandy]

OS X is more than just a "serviceable X Window replacement".

And Apple does more than just pick components to cram into a laptop. The MacBook Pro, for example, was designed from the ground up by Apple, and does feature custom designed internals - yes, obviously some components are standard (the CPU, GPU, etc.) but the motherboard, etc. is original.

If the MacBook Pro was just a bunch of off the shelf components, there would be a lot more 1" thick 5.4 pound laptops out there.

Re:No, incident does prove Apple is lacking ...

[NtroP]

The few times I have submitted comments/bugs to the ADC bugreport email address, I've always received an answer back (even if it's "we're working on it"). The first time it happened I was completely shocked - it was a real email written by a real person with a real answer. Brilliant.

This has been my experience as well. I've submitted several bugs. The first one was responded to by the next day and that was to ask for more information. It was followed up after a couple of days with a patch emailed to me. They asked me to test it to see if it fixed the issue - it did and was included in the next roll-up patch. The others received answers along the lines of "Thanks, someone else has already reported this, we are working on it, if you have any new information please reference xyz ticket." I even received a phone call once.

Apple has always been rather prickly when proper procedures aren't followed with bug reporting. A public forum is a good place to ask a question but is definitely *not* the place to submit a security-related report - they were well within their rights to remove it. Although I would have replaced the message with a "Post removed: submit security issues to product-security@apple.com" . My only complaint though, is that if you aren't already familiar with the reporting procedures it's not easy to find where to report bugs. Of course, a little googling or searching on Apple's site give you the answer, but the average noob won't do that. Of course they also don't know how to properly articulate the issue most of the time either.

Re:When Will Apple Learn

[Ilgaz]

"Feedback" form is for people who (like me) to say "Leopard is awful, you shipped it too early". :)

Actual thing is http://bugreporter.apple.com/ [apple.com] , "New Problem" "Security" from drop down menu.

He seems as an advanced user/developer and yet uses the "Feedback" form. Than posts to public forums ignoring their policies punishing those non techie .Mac users.

Here is the complete open Mozilla project security issue reporting guideline
"IMPORTANT: Anyone who believes they have found a Mozilla-related security vulnerability can and should report it by sending email to the address (removed) @mozilla.org. For more information read the rest of this document."

It doesn't say "Post it using feedback form, if you don't get any response, use mozillazine forums to post it to public and when it is deleted, post it to slashdot" :)