Bugtraq mailing list archives
Apple OSX and iDisk and Mail.app
From: merlyn () stonehenge com (Randal L. Schwartz)
Date: 24 Jul 2002 09:10:59 -0700
The password for an Apple iDisk is sent via HTTPS/WebDAV. However, if you configure OSX with an iDisk password, the same password is copied to the Mail.app configuration (which might not have been previously configured). Clicking on a "mailto" link fires up Mail.app, which then connects to mac.com which *does not* support any method of encrypted password transmission. Net effect: your iDisk password is transmitted in the clear without your awareness, albeit as a mail password. Problems: - mac.com SMTP doesn't support encrypted passwords - mac.com's mail password is *always* identical to iDisk password - OSX's "do what I mean" friendliness saves passwords without knowledge -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 <merlyn () stonehenge com> <URL:http://www.stonehenge.com/merlyn/> Perl/Unix/security consulting, Technical writing, Comedy, etc. etc. See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
Current thread:
- Apple OSX and iDisk and Mail.app Randal L. Schwartz (Jul 24)
- Re: Apple OSX and iDisk and Mail.app Dale Southard (Jul 24)
- Re: Apple OSX and iDisk and Mail.app Daryl Tester (Jul 25)
- Re: Apple OSX and iDisk and Mail.app osx_guru (Jul 24)
- <Possible follow-ups>
- Re: Apple OSX and iDisk and Mail.app spam_bucket (Jul 24)
- Re: Apple OSX and iDisk and Mail.app Eric Hall (Jul 25)
- Re: Apple OSX and iDisk and Mail.app Dale Southard (Jul 24)