[26294] in bugtraq
Apple OSX and iDisk and Mail.app
daemon@ATHENA.MIT.EDU (Randal L. Schwartz)
Wed Jul 24 15:16:58 2002
To: bugtraq@securityfocus.com
From: merlyn@stonehenge.com (Randal L. Schwartz)
Date: 24 Jul 2002 09:10:59 -0700
Message-ID: <86vg75xg18.fsf@blue.stonehenge.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
The password for an Apple iDisk is sent via HTTPS/WebDAV. However, if
you configure OSX with an iDisk password, the same password is copied
to the Mail.app configuration (which might not have been previously
configured). Clicking on a "mailto" link fires up Mail.app, which
then connects to mac.com which *does not* support any method of
encrypted password transmission.
Net effect: your iDisk password is transmitted in the clear without
your awareness, albeit as a mail password.
Problems:
- mac.com SMTP doesn't support encrypted passwords
- mac.com's mail password is *always* identical to iDisk password
- OSX's "do what I mean" friendliness saves passwords without knowledge
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
