Apple’s stance on security is a bit confusing for me. On one hand, the company releases fixes for newly discovered security vulnerabilities within hours and on the other, they seem to sometimes ignore holes in their security infrastructure and delete topics on their discussion forums which report them. The most recently discovered security flaw, which has been around for quite a while now, concerns the iDisk feature of Apple’s .Mac suite, which gives you 10GB of web space that you can use to “store, access, and share large files”. It is integrated with the Mac OS X Finder and can also be access through a web browser.
I have never had the pleasure of using iDisk (thanks to the lackluster state of broadband penetration in India) but it turns out that there is no option to log out of your iDisk account when you’re accessing it from a web browser. Therefore, those using the service on public computers just close the web browser when they’re done, and anyone who uses the computer next can easily open that person’s iDisk account from the browser history and do whatever he wants with the other person’s (private) files. Apparently, Apple deleted a topic posted on their official discussion board reporting this issue and have yet to respond to the feedback posted to them. As of this writing, the flaw still remains and there is no word on when Apple plans to fix it, if ever.
Till Apple wakes up and takes notice, we advise our readers to manually clear all the cookies whenever you are done using a public computer or any computer which is not exclusively used by you. This will ensure that you are logged out of any and all sites you visited during the session and will keep all prying eyes away from places they are not invited to. Any security related news related to Apple has a nasty habit of snowballing out of proportion, so we hope Apple addresses all concerns swiftly. The last thing they need is negative publicity just ahead of their biggest public event of the year. We’ll keep you posted.
What is easier (assuming you're using a public Mac), turn on Private Browsing mode when you sit down, and off when you leave. This prevents Safari from keeping any cookies or adding anything to your history.
This has been discussed to death on /.
If you're accessing anything on a public terminal anyway, you should not expect any privacy. Malware abounds when you give the masses access.
What we have here is a case of "speak first, think later" analysis...
Private browsing has been in Safari since 2.x first came out
even more frustrating... to check your .mac email you log in with a password that gains one access to all of your .mac services. this is significant to many of us who travel without laptops and have to check our email on non-secure windows machines (internet cafes). there's no option for setting an email only password (so if that become compromised, only the email is at risk). instead, all your idisk, website, email, and itunes is at risk.
Funny comment about broadband in India! I travel to Pune periodically, where we always get high speed installed [and getting it installed is a very funny story in itself]. Anywhoo: broadband really means slow DSL, or something similar, with upload speeds of about 125k and downloads of about 250k on a very good day with clear skies…
I love India, though.
That's interesting. They are working on the broadband situation though. The download speeds are being improved but they just refuse to take care of the upload speed and have these really limiting caps on either the data transferred or the time alloted. It really cripples the connection.
I'm sure things will change for the better though, and hopefully soon. :)
Just tried it on my iDisk and found trying to reaccess it promted me for a username and password. After hitting ok three times without entering any information the page defaults to "Unauthorized" and the same is true after hitting "Cancel" There is however, the option to save the password. I would try however, I am currently on a public computer so I'd rather not.