Aug 21 2008
I almost think it’s time to create a new blog called “Security Stupidity”. The latest issue to catch my eye is Apple’s “it’s not a security problem because nobody noticed” declaration; Michael Arrington has pointed out that Apple has made it easy for someone to enumerate the me.com and mac.com email address range by making public folders that use the same name as the email address. I’m sure I can think of several dozen people who presented at Defcon a couple of weeks ago who could do this in a matter of hours.
Michael Arrington has this one dead to rights: the bad guys have probably already figured this one out and are taking advantage of it as you’re reading this. There’s no way to remove an account name from this list, which means that Apple has no way of fixing this information leak without a major overhaul of their systems. I didn’t sign up for a me.com address before and now I’m glad.
I hope you’re not using your me.com or mac.com addresses for anything major, because they’re about to become spam magnets. This is the real power of full disclosure: Michael Arrington tried to tell them, they didn’t do anything so he disclosed, now Apple is going to pay the consequences, along with everyone who owns one of these email accounts.
Rather than admitting they’re wrong and fixing the problem (if that’s even possible), Apple will probably continue to deny this is a problem. But once it becomes a widespread issue, they’ll probably still deny it and quietly step up their behind the scenes anti-spam efforts. And we all know how well that’ll work.