
PA announcement
"Paging Mr Webster for comment duty, Mr Webster please report for comment duty"
Maybe we can get the "Nice" Webster like we did a few days ago.
Apple has inadvertently made it easy for spammers to create a database of MobileMe email addresses. The issue points to a future of more junk mail for Mac heads. They are already being targetted by MobileMe phishing scams. The email harvesting issue arises because every MobileMe user gets a public idisk file-sharing site. …
I know that Mac users generally feel that SPAM, Trojans and Virii happen to other people and, I'm sure, the OS is probably a lot more secure than windows (although I don’t know this for sure) but to (effectively) publish the email address of every user of this service is taking complacency a little too far?
i thought web crawlers worked by following links from one page to another and cataloging everything they see?
so for you to be able to use a web crawler to harvest all the usernames on the idisk, you'd need to have a page that lists every single idisk public folder? does such an index exist?
or do webcrawlers work differently and somehow can find the pages by themselves?
@Andy: whatever the iDisk address is, in my view it should not be possible to conclude the account name or email address from that. If I want friends and relatives to navigate to my shared folders, I will send them a link. And I want to decide who is allowed in. Is iDisk open to the world by default?
Note: I'm not a .mac user, and now I'm not sure I would want to be.
Read the full article (you too, El Reg !). It's not a crawler.
What this iDisk thing gives is a way of verifying a guess about a potential user name @mac.com. So you can generate a million possible address, then weed out the ones with no associated account easily.
The only reason I'd expect this to be worth the hassle is if Apple block IPs that send too much bounced email.
Earlier in the year el Reg was reporting on Apple's security folks deciding against patching a security hole in Safari because they didn't really think it mattered. On top of that Paypal blocked Apple's browser, IIRC, for being too insecure, and now MobileMe is sticking a big note on its users' backs saying "Spam me!". Not to mention the bundling of MobileMe into all new iTunes installs whether you use it or not, and attempting to get Safari downloaded onto people's PCs earlier in the year too - it all reeks of bloat and force-feeding people their different solutions and disregard for consumer choice.
They certainly make a shiny, easy-to-use OS on such limited amounts of hardware that it never has to worry about drivers or incompatibility, and I was practically convinced that I was going to buy one last year. Now, however, I'm starting to think Apple need to step back and rethink what they see their customers as, because if the answer is "numbers on our bank balance" then they're just going to get closer and closer to being the people they currently oppose.
I can only hope that's not the answer, and this year's problems are 'bumps in the road' as Apple get used to being popular and realise it isn't all about people worshipping you and feeding you money. We'll see, I guess...
With great power comes great responsibility! And a cool costume... But Jobs doesn't have one of those yet... His ego's already inflated enough as is, right? :D
Aetyr, Safari isn't blocked, it works and has worked.
Here's the quote from the WSJ you may have misread:
Update: We just spoke to PayPal. It seems we in the media are reading too much into this. It will block people using old browsers and old operating systems, but contrary to many reports it will not block Apple’s Safari browser.
As for harvesting MoblieMe addresses, this is HARDLY a new tactic, my old Mindspring account (Or before that, Netcom) over TEN years ago had my username in it, and was an easy way to figure out my email. You need to get your tech news from more than the Reg if that's what you're doing, their reporting is not somehow less flawed than others :) As for spam, from what I know of friends who have .mac/MobileMe the spam filtering is very good. Personally I don't use M-Me, have no use for it.
The ability of bot armies to spam all permutations of e-mail addresses in parallel makes pre-validation unnecessary. Many spamming bots are also aware of misconfigured/broken mail servers that will route undeliverable mail to a second e-mail address to double the odds of delivery.
I doubt Apple's WebDAV is implemented in a way that allows harvesting of unknown accounts. WebDAV is a resource hog even when used correctly. Allowing deep traversal from the top level would wipe out their servers in no time.
If there's going to be WebDAV abuse, it will be for illegal file sharing. Will Apple play whack-a-mole with everybody using "12345" as their password or will they do like Google and let an algorithm badly guess what account is being abused?
I'm presuming the accounts are setup something like this:
http://idisk.example.com/~username/ (I don't know the exact url) where username is also the email address for the user. simply scraping the internet for such urls would bypass the need for some form of an index of all the idisk accounts. However, it wouldn't surprise me if there is some form of an index somewhere as well.
Somebody has indeed been after .mac accounts for some time now. In the last 3 years I've gotten 5 or 6 password reset request emails from the .Mac system just out of the blue. The headers all say it is in fact from the .Mac system, so someone's been requesting resets on my account.
Oddly, I get almost no spam at all to my .Mac account.
"Well I get 10 x as much spam on my gmail account as I do on .mac - and I've never distributed the gmail address - so I say this is yet another bogus Apple security story. Sorry the sky isn't falling, yet again."
@ Andrew Rennard
I agree 100%. Wouldn't it be easier/faster to simply harvest email addresses by sending an email to every possible combination of characters @me.com, rather than setting up a bot to hit every possible combination of characters at the iDisk web address???
It may not be a crawler but one way it could work is just like a brute force password cracker. Starts with one character and adds more and more till it hits the right one.
On a side note maybe the real Webster was abucted by aliens which is why the new one is so nice. Dear god THEY KILLED WEBSTER. . .THOSE BASTARDS
Have to agree with the other users that actually have a MobileMe account, I've recieved 0 spam mails during my 1½ of having the service. Getting huge loads to my Gmail/Hotmail, it would be a lot easier to just spider the web for emails or simply guess the addresses than using the idisk folder for this.