“While I was a fan of .Mac back when it was iTools, these days, I am less allured by its now pay-for services,” Jeff Smykil writes for Ars Technica.
“You are now hard-pressed to use Apple’s operating system without seeing some mention of the service. I dare say that the rise in popularity is most likely due to the presence of Apple retail stores and sales people asking just about anyone who makes a purchase if they would like .Mac with that,” Smykil writes.
“One of the more useful features of .Mac is the ability to access an iDisk from a browser [but] your iDisk might not be as secure as you’d like to think, and for a pretty stupid reason,” Smykil writes.
“According to one Slashdot reader, there is no way to log out of an iDisk in a browser, meaning that another user can access everything on your iDisk using the browser’s history feature. The individual is then apparently free to view and or delete your files. Not good. Not good at all,” Smykil writes.
More info in the full article here.
.Mac sucks!
What’s this MDN?
No reassuring ‘this is only FUD’ comment from MDN?
Is this an admission that Macs and OSX and .Mac and Safari and other Apple things are now subject to invasion, attacks, horses, worms, other bad things JUST LIKE WINDOWS?
Huh?
Is this an admission that Macs and OSX and .Mac and Safari and other Apple things are now subject to invasion, attacks, horses, worms, other bad things JUST LIKE WINDOWS?
Subject to them, yes; but not nearly as vulnerable to them and definitely not JUST LIKE WINDOWS.
“Is this an admission that Macs and OSX and .Mac and Safari and other Apple things are now subject to invasion, attacks, horses, worms, other bad things JUST LIKE WINDOWS?”
i dont really think this is any of those things, its a problem with the service not the mac or os. Though the issue should be delt with, those who now know can delete there history, or reset safari which is advisable anyway if you do anything secure on a mac other than your own.
Apple seriously needs to do something with .Mac. They are getting killed in the online service department by Google especially.
IDK if .Mac sucks or not b/c I’ve never used it. I’ve just always thought it was silly to pay for services you can get for free, or near-free anyway. Never really saw any reason to try it, personally.
@S. J. Sydney
I think the whole “…JUST LIKE WINDOWS” part mighta been a little over the top. (I hope that was sarcasm). At risk of sounding ‘fanboy-ish’, I don’t think that one instance of insecurity every now and then will ever justify anything as being ‘just like windows’ when it comes to security.
Just my 2¢
Note that the reporter is only reporting what he read elsewhere and hasn’t actually tried accessing iDisk via web. I tried it and had to both log in to .Mac, then log in again for iDisk access. I quit the web browser and went back later. Yup, my iDisk showed up in the History menu, but when I tried to access it, it required log in.
Either the Slashdot reader was using some method to circumvent the login request, or was actually accessing only the Shared Folder on iDisk, which is, unless to change the settings, open to anyone to access. Or perhaps Apple quietly fixed the issue.
Nonetheless, another reporter parroting hearsay with no research.
@ S.J.
So you hate the MDN comments, but bitch if they aren’t there? Nice. How about, this is a potential security threat, so they posted it to alert Mac users. They could have not posted it, in which case you would probably be bitching that they were hiding it. If you don’t like the commentary, you can troll elsewhere.
I just tied this on a PC with Firefox, IE and Safari and each time after I had quit out of the app I was prompted for my password when I tried to get back into my iDisk. Not sure if I’m missing something but it seems okay to me.
I would start fixing .Mac by lowering the price to $29.95.
Its probably that if you close the window and not quit the browser that you can login again via the history without a password.
In that case, shame on the user for not quitting.
@S. J. Sydney
Why be so negative? Did MDN have a choice of whether or not to post this article to their site? If they were only interested in “reassuring ‘this is only FUD'”, why would they have posted this article in the first place?
Remember, this is “MacDailyNews”. By its nature it is Mac-centric. Just read the news and move on. Spend more time outside.
I have .Mac.
I’ve tried it using Windows PC’s, Linux PC’s, and Macintoshes.
On all three, if you quit the browser, you have to re-enter the username and password (though the username is pretty easy to guess).
That being said – if you are using Safari on a Mac – and have put your .Mac information into the system keychain, then it can give the appearance of allowing “full access” from the history.
This is because Safari will automatically fill in a form using keychain data and move on to the next page without user input.
FireFox or IE will simply fill in the form from their password managers.
So yes, if you are dumb enough to put your .Mac username and password into the password manager of a PUBLIC COMPUTER, then yes, your iDisk can be accessed by anybody.
@jeff
That may be what’s happening but when you X out of a windows browser you automatically quit the app (as long as you don’t have any other browser windows open). Given that most shared computers are PCs that would probably be enough but yes, I agree, on a Mac you’d need to quit out.
Any yes, if someone clicked ‘remember password’ on a public computer well, there’s probably not much hope for them
@ROB
“I would start fixing .Mac by lowering the price to $29.95.”
I would start by offering .Mac for FREE!
There still is no compelling reason for me to pay for the services of .Mac.
Keep trying Apple.
If one is dumb enough to just close the idisk window and not also quit the browser, then … yeah … one stays logged in. But if you quit the browser you have to re-log in. You just can’t select it from the history and get in after having quit the browser.
As usual, most problems like this are dependent upon people being STUPID. Essentially, if one hasn’t quit the browser, one might as well have left the window open to make it easy for he next guy.
Another Mac security hole? Wow. I am surprised. Shocked really.
Don’t worry. Shepherd Jobs will save us all!!!!!!!
yeah… I’m with the first poster. Dot Mac Sucks.
Nice feature set, but it just doesn’t work half the time. Can’t log in, Syncing gets stuck.. all kinds of issues.. and now since the outage yesterday, the “Back to My Mac” isn’t working either.
MDW Word = face like face it, Dot Mac hasn’t really lived up to it’s potential.
Just like walking away from MSN messenger or Face book or whatever after logging in and the next person that comes along can post as you or access your personal goodies and change the parameters.
I once used a public computer in a hotel lobby and found that some young girl had left her account name and password in Outlook Express’ incoming mail account. I suddenly had access to all of her e-mail. Yes, I read it and yes, I fixed her mistake.
Now, was this user stupidity or a flaw in Outlook Express?
Outlook Express has many flaws, but those of you who said user stupidity, win.
Well, like other readers above, I quit my Firefox application, and then started Firefox again, and was prompted for my userid and password once again. When the author of this article quotes someone from slashdot as saying,
“According to one Slashdot reader, there is no way to log out of an iDisk in a browser, meaning that another user can access everything on your iDisk using the browser’s history feature. The individual is then apparently free to view and or delete your files. Not good. Not good at all,”
They should at least try before writing a whole article from a false pre-supposition. Shame on the author for not doing some simple homework.
P.S. I Use 256-Bit AES encryption with anything I put on my iDisk that I don’t want anyone to pry into. Indeed, I double encrypt my files so that they cannot even get a directory of my encrypted zip file. Who knows what sys admin what security holes exist out there, so it really all boils down to taking care up front.
This is FUD. .Mac will always ask you for a password if you quit your browser and relaunch it (unless, as has been posted above you use Keychain).
It’s a simple cookie issue.
@ Bill Mac,
“P.S. I Use 256-Bit AES encryption with anything I put on my iDisk that I don’t want anyone to pry into. Indeed, I double encrypt my files so that they cannot even get a directory of my encrypted zip file. Who knows what sys admin what security holes exist out there, so it really all boils down to taking care up front.”
I think there is a job for you at the UK Government, judging by the complete lack of encryption that goes on with our personal data.
“Or perhaps Apple quietly fixed the issue.”
If you know someone’s .mac website…
http://homepage.mac.com/steve/Menu8.html
You can get to their public iDisk
http://idisk.mac.com/steve-Public
If anyone using iDisk keeps anything important there, then that is most certainly a mistake. Go ahead, try to upload something to that folder and see what happens.
See, I’ve been telling y’all that Apple isn’t perfect!
(the Real® ZuneTang)