426458
submission
+- a little .mac security flaw on Saturday December 15 2007, @04:59PM deleuth
background: url(//a.fsdn.com/sd/topics/topicsecurity.gif); width:59px; height:78px;
security
deleuth writes "The de facto online connectivity software sold along with many Apple computers, .Mac, has a web interface through which users can check their "iDisk" whilst away from their own computer. However, there is no Log-Out button in this web interface, so most users just close the browser and walk away...not realizing that their iDisk has been cached by the browser and that anyone who wants to can open up the browser, go back to the link in History, and get into their iDisk completely logged in. From here, files can be downloaded and/or deleted.
This seems like a minor security flaw via bad interface design, and podcaster Klaatu (of thebadapples.info) posted this on the discussion.apple.com site, only to have his post removed by Apple. Furthermore, feedback at apple.com/feedback has gone unanswered. The problem remains: there is NO way for the average computer user to log-out of their iDisk on public computers!
The format of the link that will get you into an iDisk is this: http://idisk.mac.com/USERNAME?view=web
So a quick review of any public terminal's browser history could bring up all kinds of interesting things."
The clash of ideas is the sound of freedom.
All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.
a little .mac security flaw 0 Comments More Login /
Get More Comments