Apple’s .Mac iDisk insecure via Web browser

“While I was a fan of .Mac back when it was iTools, these days, I am less allured by its now pay-for services,” Jeff Smykil writes for Ars Technica.

“You are now hard-pressed to use Apple’s operating system without seeing some mention of the service. I dare say that the rise in popularity is most likely due to the presence of Apple retail stores and sales people asking just about anyone who makes a purchase if they would like .Mac with that,” Smykil writes.

“One of the more useful features of .Mac is the ability to access an iDisk from a browser [but] your iDisk might not be as secure as you’d like to think, and for a pretty stupid reason,” Smykil writes.

“According to one Slashdot reader, there is no way to log out of an iDisk in a browser, meaning that another user can access everything on your iDisk using the browser’s history feature. The individual is then apparently free to view and or delete your files. Not good. Not good at all,” Smykil writes.

More info in the full article here.

40 Comments

  1. What’s this MDN?
    No reassuring ‘this is only FUD’ comment from MDN?
    Is this an admission that Macs and OSX and .Mac and Safari and other Apple things are now subject to invasion, attacks, horses, worms, other bad things JUST LIKE WINDOWS?
    Huh?

  2. Is this an admission that Macs and OSX and .Mac and Safari and other Apple things are now subject to invasion, attacks, horses, worms, other bad things JUST LIKE WINDOWS?

    Subject to them, yes; but not nearly as vulnerable to them and definitely not JUST LIKE WINDOWS.

  3. “Is this an admission that Macs and OSX and .Mac and Safari and other Apple things are now subject to invasion, attacks, horses, worms, other bad things JUST LIKE WINDOWS?”

    i dont really think this is any of those things, its a problem with the service not the mac or os. Though the issue should be delt with, those who now know can delete there history, or reset safari which is advisable anyway if you do anything secure on a mac other than your own.

  4. IDK if .Mac sucks or not b/c I’ve never used it. I’ve just always thought it was silly to pay for services you can get for free, or near-free anyway. Never really saw any reason to try it, personally.

    @S. J. Sydney
    I think the whole “…JUST LIKE WINDOWS” part mighta been a little over the top. (I hope that was sarcasm). At risk of sounding ‘fanboy-ish’, I don’t think that one instance of insecurity every now and then will ever justify anything as being ‘just like windows’ when it comes to security.

    Just my 2¢

  5. Note that the reporter is only reporting what he read elsewhere and hasn’t actually tried accessing iDisk via web. I tried it and had to both log in to .Mac, then log in again for iDisk access. I quit the web browser and went back later. Yup, my iDisk showed up in the History menu, but when I tried to access it, it required log in.

    Either the Slashdot reader was using some method to circumvent the login request, or was actually accessing only the Shared Folder on iDisk, which is, unless to change the settings, open to anyone to access. Or perhaps Apple quietly fixed the issue.

    Nonetheless, another reporter parroting hearsay with no research.

  6. @ S.J.

    So you hate the MDN comments, but bitch if they aren’t there? Nice. How about, this is a potential security threat, so they posted it to alert Mac users. They could have not posted it, in which case you would probably be bitching that they were hiding it. If you don’t like the commentary, you can troll elsewhere.

  7. I just tied this on a PC with Firefox, IE and Safari and each time after I had quit out of the app I was prompted for my password when I tried to get back into my iDisk. Not sure if I’m missing something but it seems okay to me.

  8. @S. J. Sydney

    Why be so negative? Did MDN have a choice of whether or not to post this article to their site? If they were only interested in “reassuring ‘this is only FUD'”, why would they have posted this article in the first place?

    Remember, this is “MacDailyNews”. By its nature it is Mac-centric. Just read the news and move on. Spend more time outside.

  9. I have .Mac.

    I’ve tried it using Windows PC’s, Linux PC’s, and Macintoshes.

    On all three, if you quit the browser, you have to re-enter the username and password (though the username is pretty easy to guess).

    That being said – if you are using Safari on a Mac – and have put your .Mac information into the system keychain, then it can give the appearance of allowing “full access” from the history.

    This is because Safari will automatically fill in a form using keychain data and move on to the next page without user input.

    FireFox or IE will simply fill in the form from their password managers.

    So yes, if you are dumb enough to put your .Mac username and password into the password manager of a PUBLIC COMPUTER, then yes, your iDisk can be accessed by anybody.

  10. @jeff

    That may be what’s happening but when you X out of a windows browser you automatically quit the app (as long as you don’t have any other browser windows open). Given that most shared computers are PCs that would probably be enough but yes, I agree, on a Mac you’d need to quit out.

    Any yes, if someone clicked ‘remember password’ on a public computer well, there’s probably not much hope for them

  11. @ROB

    “I would start fixing .Mac by lowering the price to $29.95.”

    I would start by offering .Mac for FREE!

    There still is no compelling reason for me to pay for the services of .Mac.

    Keep trying Apple.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.