Aug 21 2008

Apple’s giving spammers a hand

Published by at 9:50 pm under Phishing, scams, etc.,Security Advisories

I almost think it’s time to create a new blog called “Security Stupidity”. The latest issue to catch my eye is Apple’s “it’s not a security problem because nobody noticed” declaration; Michael Arrington has pointed out that Apple has made it easy for someone to enumerate the me.com and mac.com email address range by making public folders that use the same name as the email address. I’m sure I can think of several dozen people who presented at Defcon a couple of weeks ago who could do this in a matter of hours.

Michael Arrington has this one dead to rights: the bad guys have probably already figured this one out and are taking advantage of it as you’re reading this. There’s no way to remove an account name from this list, which means that Apple has no way of fixing this information leak without a major overhaul of their systems. I didn’t sign up for a me.com address before and now I’m glad.

I hope you’re not using your me.com or mac.com addresses for anything major, because they’re about to become spam magnets. This is the real power of full disclosure: Michael Arrington tried to tell them, they didn’t do anything so he disclosed, now Apple is going to pay the consequences, along with everyone who owns one of these email accounts.

Rather than admitting they’re wrong and fixing the problem (if that’s even possible), Apple will probably continue to deny this is a problem. But once it becomes a widespread issue, they’ll probably still deny it and quietly step up their behind the scenes anti-spam efforts. And we all know how well that’ll work.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

24 responses so far

24 Responses to “Apple’s giving spammers a hand”

  1. Tim F.on 21 Aug 2008 at 10:17 pm

    I’ve had a mac.com account since it was introduced as iTools. I’ve always received far less spam than other accounts as a simple matter of rarely using the email address. (This same url “hack” has been in place for 8 years.)

    I created a new MobileMe account when it launched specifically for iDisk use. I haven’t used the email. I have zero spam. I haven’t even turned on the Junk Mail filter (Apple’s equivalent of spam filtering).

    Please get your dozens of DefCon friends on it, I’d like to see the spam pour in. Or maybe Apple has more security in place than imagined, and the reason this exists is because it’s supposed to, for simplicity. Or do you think Michael Arrington has special powers and no single spammer took notice of a very apparent feature that has existed for 8 years until he blogged it?

  2. Martinon 21 Aug 2008 at 10:27 pm

    Maybe you’re right, or maybe you’re lucky. I have talked to one of the Defcon presenters and there may be a tool coming out in the near future. Not the sort of thing I do, personally.

    And as much as I hate to say it, Michael Arrington does have special powers on the Internet. Maybe not super powers, but he has more juice than almost anyone on the Internet.

    Just because it’s been in place for some time doesn’t make it any less of a stupid idea. Look at DNS, it’s been broken by design from the very start and it wasn’t until recently when Dan Kaminsky started poking around that anyone realized it was broken. Now that we know, it’s started coming under fire. Apple may suffer the same experience, especially now that so may people are getting iPhones and Mac Book Pro’s. 8 years ago it wouldn’t have been worth the effort, but now it’s a different story.

    Martin

  3. Tim F.on 21 Aug 2008 at 10:37 pm

    Well, the problem is: there is zero proof. Do we know if Apple has security to prevent the necessary spidering? No. Do we know if anyone has successfully done so? No. Do we know of rampant spam attacks on .mac/MobileMe subscribers? No. Do we know if Apple’s spam filtering is protecting such successful email harvesting attempts? No. You suggest that Apple may not even be able to do anything to respond to this — any reason to make that claim? No.

    You just went from claiming Apple is actively helping spammers, suggesting .mac/MobileMe users will soon be under attack if they aren’t already, and that this is simple “security stupidity” to “maybe you’re right,” “Apple may suffer…” because Michael Arrington finally noticed a feature that’s been before his eyes for a while and many other had taken for granted for years. Do you see a disconnect there?

  4. Benon 22 Aug 2008 at 4:35 am

    Actually, there already is a Stupid Security site/blog… :)
    http://www.stupidsecurity.com/

  5. Martinon 22 Aug 2008 at 5:13 am

    You’re right, zero proof is a problem. But just as I have no proof that it’s happening, you have nothing but anecdotal proof that it’s not. Just because it hasn’t happened to you yet, doesn’t mean it’s not happening.

    We don’t know if this is happening, however, even if it was, do you think Apple would admit it? There’s a historical precedent of Apple denying vulnerabilities, slandering researchers and threatening with lawsuits when all else fails. Given this history, even if Apple is suffering through a huge spam storm, I wouldn’t expect them to admit it.

    Publicly exposing user names was a stupid move from a security perspective even if you’re not getting spam. Making it possible and easy to spider the .me and .mac accounts is security stupidity, plain and simple, even if it’s never exploited. Giving away account names just gives the bad guys one step up on the process of compromising the accounts, whether that’s sending spam or owning the accounts.

    I’m a security guy, I have to figure out how ‘features’ can be turned against the owners before it happens. I’m not in a position where I should have proof before I say anything; I have to figure out what’s wrong and act before it can be abused. So, yes, I feel justified in calling Apple out on this one and calling it stupidity.

  6. Tim F.on 22 Aug 2008 at 5:49 am

    I could care less if Apple admits it. I don’t care about public shaming and admissions committed on bended knee.

    How do we know it’s easy to spider? Maybe they have some of the best spider traps in the industry, the best traffic monitoring, etc… You continue to make absurd presumptions.

    It wasn’t an oversight unless they are vastly ignoring things we don’t know about but which is extremely unlikely. Otherwise, this has been a feature since day one. I want my public folder address, my galleries, etc… to be memorable. If I’m placing them in public web folders, I should be doing so for a reason: so that they are discoverable.

    I could care less if bad guys get one step if they don’t get through step 2, 3, and 4.

    You have done zero research and have done zero to prove the concept. Yet you claim to have reason to call them out: that’s stupidity to me.

  7. Martinon 22 Aug 2008 at 6:07 am

    Tim, I guess we’ll have to agree to disagree. Thanks for keeping it relatively courteous.

    This is an example of the fundamental difference in the viewpoint of security professionals and hackers versus normal users. You look at how things are supposed to be used and react. We look at how things will react when abused and if that can be exploited. In this case, there’s a vast potential for harvesting email addresses and account names if someone wants to do wrong. Even if Apple has safeguards in place to prevent harvesting, what they did is a bad idea from a security perspective.

    Have a nice day,

    Martin

  8. Beemishon 22 Aug 2008 at 6:55 am

    Hey Tim F., keep an eye out for e-mail subject: “Tim F. now believes” a spam i name in your honor. In it you will find a link to this page. Oh, and then you will believe.

    Beemish

  9. Tim F.on 22 Aug 2008 at 7:12 am

    I’ll be looking for it, Beemish. Can you get it to me before Monday?

  10. Martinon 22 Aug 2008 at 8:10 am

    Tim, in Arrington’s comments he points out that we don’t even need a new piece of software, we have Yahoo which already has a list of 38,000 addresses easily available.

    I’m sure Johnny Long could come up with a much better search string through Google in a matter of minutes.

    Michael Arrington said:

    Here’s a list of 38,000+ to get the spammers started, care of Yahoo:
    https://siteexplorer.search.yahoo.com/search?p=http%3A%2F%2Fidisk.mac.com

    and

    they aren’t even instructing search engines not to crawl the pages:

    http://idisk.mac.com/robots.txt

  11. Tim F.on 22 Aug 2008 at 8:38 am

    I’m fully aware of Arrington’s comments. (Did you miss my reply comments?) They actually show his lack of understanding (and maybe yours). Why would Apple use robot.txt files to prevent spambots? Since when do malicious crawlers observe the robot exclusion standard? (Btw, I haven’t been able to grab the robots.txt, and I don’t think Arrington has seen it either… my attempts get redirected to a standard error page.) Why wouldn’t users who are placing files in publicly accessible web folders not want to be indexed? I know of numerous files that are hosted by Apple’s service that the owners definitely want to rank in search engines. I’ve known since 2000 that there are search results including user names.

    And finally as I said above, I don’t care if spammers can get to step 1, I care about if they are actually spamming me. (I rank this vector no greater, and probably less, than innumerable other possible methods of discovering my email address.) Prove to me that spammers have created a master list of all .mac/MobileMe subscribers, that it is heavily trafficked and being used to send spam. Otherwise, I am seeing a company that is balancing the consumers’ user-facing needs and those of security… while a few are getting hysterical about something they have done little to understand.

  12. Brian Knoblauchon 22 Aug 2008 at 11:22 am

    Overrated as a security risk. My e-mail address is floating around everywhere on the web (posted plain text to a number of websites and newsgroups) and my spam is minimal. I don’t think this one exposure by Apple of usernames is going to change the spamload any.

  13. Scott Morrisonon 22 Aug 2008 at 2:59 pm

    I’m going to have to side with the great masses on this one. Apple has exposed user’s email addresses, yes. It’s been that way for a long time, also yes. But Apple is hardly the first one to do this sort of thing.

    Many years ago, I would check profile information on Yahoo of anybody who emailed me from a yahoo.com address via http://profile.yahoo.com/username. Various and sundry web services have similar “holes” in their security. Many blogging and social network sites use member account names for both their login and their personal page. This undoubtedly makes the accounts less secure, because guessing an account name is as simple as browsing the site. Apple makes the same mistake here, because your account name is the same as your email address, both of which are exposed in your URL.

    Spammers have no shortage of other means of collecting email addresses. One more minor one, in this case someplace that I have yet to receive ANY mail (except for a couple from Apple themselves) is just a drop in the bucket.

    Could Apple have used a hash or a serial number or something for URLs? Sure. That would’ve seriously reduced the convenience of having an easy to remember URL to give to friends or family, or to remember for yourself.

  14. Tim F Needs To Be Preparedon 22 Aug 2008 at 4:20 pm

    Tim F. was one of those guys that said Y2K is all a hoax. He said, how do we know anything will happen when 2000 hits? How can anyone prove bad things will happen? I haven’t seen any proof or any issues with Y2K happen…have you?

    Tim F. is the kind of guy that needs to fly to the moon to believe it exists. Tim F. is the kind of guy that is only reactive, not proactive.

  15. Tim F.on 22 Aug 2008 at 5:08 pm

    Oooh, poetry.

    Tim F. is aware that spam already constitutes 85-95% of all web traffic and affects the vast majority of all accounts. Tim F. doesn’t have a spam problem because even though he has to make his email susceptible to all sorts of attacks via frequent communications with less-prepared contacts, several presences on the web, and membership in innumerable social networks, organizations, mailing lists, etc…, he rarely receives a spam in his inbox and hasn’t experienced a false positive in more than 2 years because of effective spam filtering.

  16. Tim F.on 22 Aug 2008 at 5:10 pm

    Dammit, I screwed my poem. That should be: 85-95% of all EMAIL traffic

  17. Martinon 22 Aug 2008 at 5:13 pm

    Dang it, just when I was about to tell you both to quit it you had to be funny.

    Martin

  18. Jerry Leichteron 23 Aug 2008 at 1:48 pm

    Interesting debate, but it does help to actually check the facts (which are, in fact, accurately reported at http://www.techcrunch.com/2008/08/21/an-easy-way-to-retrieve-the-entire-mobileme-user-email-list/). You can’t “spider” the user list. The robots.txt at idisk.mac.com has nothing to do with spidering. In fact, it isn’t even a robots.txt file, as is obvious if you read it. The top-level idisk.mac.com URL requires you to log in to your own account (or you can specify a public URL under it – which is how idisk.mac.com/robots.txt is actually interpreted).

    So if spidering isn’t the threat, what is? Given any username u, there is a page at idisk.mac.com/u-Public. So if you guess u, you can confirm at u.mac.com/u.me.com are valid mail addresses. This is a vulnerability if u is reasonably guessable. Since .mac/.me usernames seem usually to be firstnamelastname, most aren’t so easy to guess.

    A potential information leak? Sure. A reasonable tradeoff for convenience? Perhaps. Should Apple provide a way for those who don’t want to expose their name this way? Probably. (Apple tends to prefer simplicity to choice. Techies usually want the opposite; most non-techies don’t – which most techies will never understand – even the ones who eat the same lunch every day.) Something to get hysterical about? Come on….

    — Jerry

  19. Anon E Mouson 25 Aug 2008 at 4:54 am

    AOL & EarthLink have had the same “vulnerability” for over a decade. Jerry Leichter is right.

  20. Gustavon 25 Aug 2008 at 6:09 am

    This really isn’t a problem. Spammers run bots on other people’s PCs. Do you really think they check the addresses first? Why wouldn’t they just enumerate their dictionaries of usernames and send them to username@hotmail.com, username@mac.com, username@yahoo.com, etc. – it’s far quicker to just send the spam and ignore the errors than to validate it first.

  21. Aaron Guhlon 25 Aug 2008 at 8:04 am

    I think a lot of people are missing the point. Spam today has changed dramatically from what it was 5 years ago. Spam 5 years ago was all about the attachments. Spammers didn’t care who they targeted and so they could create a spam campaign like the one that Gustav mentioned above. But today users are much smarter and so spam campaigns like that are no longer effective, not only against users, but also against spam filter software.

    However, spam today is much different. Spam today is all about phishing. Because of this, a very important piece of the puzzle is being able to target your audience for spam. If an attacker is able to enumerate the users of a particular provider or domain, then you immediately have access to a piece of information that is common among all those users. They all belong to the same mail provider! For this reason the attacker can then create a phishing spam campaign targeting those users spoofing the email as an administrator for said domain. A targeted phishing campaign is way more effective than one that isn’t and will have a much higher success ratio.

    Imagine if someone was able to enumerate the email addresses of everyone that had Capital One accounts. Now think of the phishing spam campaign that could be created knowing that. The same security precautions should be created when thinking about email. Why people have such a lazy attitude toward email security is beyond me.

    It is for that reason that I feel that providers of mail and Web 2.0 services need to take notice of this and take the precautions to protect their users’ addresses. The number one way to combat phishing spam is to prevent spammers from being able to target their audience.

  22. Tim F.on 25 Aug 2008 at 11:36 am

    Aaron, that’s a silly comment. Why would you need to validate an email address to know that addresses at the mac.com/me.com domain are at the mac.com/me.com domain?

    Beemish, still waiting… This is easy stuff, man.

  23. Aaron Guhlon 25 Aug 2008 at 12:08 pm

    Because if I had a list of 10,000 accurate email addresses versus a list of 10,000 randomly generated inaccurate addresses, I’d take the accurate list anyday.

    The resources needed to put together a legitimate list of usernames/addresses using a dictionary list is expotentially greater than if you were able to pull a list of accurate addresses. A username could be “SmellySailor22” and even the most comprehensive dictionary list would not come across that account. But if you were able to enumerate an accurate list of users, then SmellySailor22 would be on that spammers target list.

    Now I know that you are obviously knowledgable enough to know the difference between a phishing email and a real one. But many users who use MobileMe and other similiar services are not. This is why it is valuable if a spammer is able to get a list of accurate addresses on that domain versus just blindly sending out emails to that domain where only 1% of those emails may actually end up in an active user’s mailbox.

    Tim, I don’t believe you read my first post correctly. I didn’t say that you had to validate the account to ensure that the DOMAIN was correct. Clearly you already know that part. What you don’t know is the USER part of the address. Knowing the username of an account is 50% of what someone needs to compromise the account. Knowing the email address is a way for someone to get in contact with that user and manipulate them to get their password (i.e, phishing, etc). Being able to enumerate an entire list of accurate users is a way to do this on a grand scale. How do you not see the security flaw in that?

    The only evidence that you have that it ISN’T happening is you saying that you aren’t receiving any spam on your account. That reactive approach to security will only get you into trouble in the future. Proactiveness is the only way to protect a network.

    Whether or not people are taking advantage of it is another question. But one mantra I’ve always gone by in IT Security is it isn’t “if” it will happen, it is “when”.

  24. Tim F.on 27 Aug 2008 at 5:53 am

    @ Aaron, I don’t know why you think I didn’t read your posts or that I missed something. You claimed this was so dangerous because it allowed more than a standard spam attack, it allowed a directed phishing attack because you knew something about the users. The only thing you know is the domain.

    You say you’d rather have 10,000 verified emails vs. 10,000 unverified emails. Of course, you haven’t demonstrated that you can easily acquire 10,000 verified emails anywhere near as fast as the unverified names, and you’ve completely ignored the fact that a dictionary attack is going to allow for millions of unverified emails almost guaranteeing hundreds of thousands of verified emails.

    You say absurd things like: “The resources needed to put together a legitimate list of usernames/addresses using a dictionary list is expotentially greater than if you were able to pull a list of accurate addresses.” Which of course assumes it takes zero resources to verify these addresses? No one has demonstrated that idisk sub-directories are crawlable. I’m not suggesting they aren’t. I’m suggesting they are on the same order of magnitude of launching dictionary attack. The methods are very similar.

    “The only evidence that you have that it ISN’T happening is you saying that you aren’t receiving any spam on your account.”

    And yet you have ZERO evidence this is possible at all. I’ve always understood that paranoid security experts who will take any instance of non-obscurity as a potential threat, but that doesn’t make it a legitimate threat. If you represent the IT security community, do a little work towards proving this conjecture rather than presuming it is so. Send me a list of 20,000 spidered directories. Show me the code. Do something. All you’ve done is restate what has been obvious for eight years. Thanks security minded people. Way to stay on top of things and do nothing.

Trackback URI | Comments RSS

Leave a Reply

%d bloggers like this: