Apple makes e-mail harvesting easy with MobileMe

A curiously simple oversight may have opened every MobileMe user to the risk of having their e-mail address harvested just by looking through the company's iDisk folder hierarchy.

Specifically, the oversight appears to be that every MobileMe user's iDisk folder is named with the exact same username as his or her e-mail address. All a spammer would need to do is add '@me.com' to this information, and the legitimate e-mail address is complete.

It should be mentioned that this is not a new problem for MobileMe -- it appears to have been a risk since iDisk was introduced in .Mac as well, but it certainly does not help the tarnished image of Apple's online service.

Folders are Web-accessible through an address like the following: idisk.mac.com/steve-public. Some are saying it may be as easy as using a Web crawler tool in order to figure out the entire folder hierarchy.

TechCrunch, which was the first to report on the possible security flaw, also suggested hackers may use a dictionary attack to figure out usernames.

Selling e-mail addresses is a lucrative business. However, those addresses aren't valuable commodities unless they can be verified as legitimate. Obviously, if a user has an iDisk folder -- the e-mail address attached to it is going to be legitimate.

Worse yet may be Apple's response to the matter. It appears as if the company is aware of how potentially easy it may be to put its users at risk, but seems willing to do nothing in response.

"We've never had a complaint from a customer about people spamming them because of their iDisk public folder name. There is no way to remove your account name from the iDisk folders. I'm very sorry," a Apple representative told one person.

Issues with MobileMe e-mail are nothing new. Other than the obvious connectivity issues, last week it was discovered customers of the service were the target of a phishing scam aimed at stealing personal information.

Apple did not respond to requests for comment as of press time.

10 Responses to Apple makes e-mail harvesting easy with MobileMe

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.