BugTraq, the famous mailing list dedicated to security bugs, has published a brief description of one afflicting Apple's iDisk and the Mail application. Although the password for the iDisk is sent to the servers through the HTTPS / WebDAV secure protocol , however if you configure OS X with the password for iDisk, the same password is copied to the Mail configuration (which may have been not yet configured). In this condition, clicking on a link with "mailto" forces Mail to connect to the Mac.com servers to which no encrypted password transmission system is provided.
The conclusion that the iDisk password is sent over the network in the clear, without realizing it, as far as an email password is concerned.
The issues, certainly of a certain gravity, consisted, therefore, in the password for the email of "mac.com", always identical to that for the iDisk (therefore, once discovered it can be used for both services), secondly, this OS X automatism registers the password without being aware of it.
As an additional problem, it appears that the log-in system of the ".Mac" Webmail service could be ridiculously bypassed by simply copying the URL associated with each e-mail message generated by the WebObjects interpreter. Addresses similar to the following, so to speak :
if brought to another browser, or to another computer, the absolutely undesired effect of making the email message to which the link refers appear, without any effort.The cause to be found in the way WebObjects works: information relating to the session in progress are recorded in the URL, thus simply copying the address caused the above side effect.
It is necessary, however, to specify that these URLs are not valid forever, in fact, after a set period of time, or at the time of logout, the information on the current session varies and that same URL will no longer work.
Creating unjustified alarmism seems excessive to us.
It is certainly easier to read confidential information in the dozens of cookies that we receive daily and exchange with the sites on which we browse.
Furthermore, it seems that Apple has quickly solved this by causing a redirect to the home page of the ".Mac" services as soon as you intercept the conditions for a probable invasion in another user's mailbox.
In conclusion, there remains the doubt, and bitterness in the mouth, for the choice to transform ".Mac" into a paid service, still without the guarantees of correct and safe operation.