iDisk security flaw when using public computers

You could get into a lot of people's iDisk accounts at Apple stores with this method.

From Slashdot

http://it.slashdot.org/article.pl?sid=07/12/16/0055211

"The de facto online connectivity software sold along with many Apple computers, .Mac, has a Web interface through which users can check their 'iDisk' while away from their own computer. However, there is no Log-Out button in this Web interface, so most users just close the browser and walk away... not realizing that their iDisk has been cached by the browser and that anyone who wants to can open up the browser, go back to the link in History, and get into their iDisk completely logged in. From here, files can be downloaded and/or deleted.

This seems like a minor security flaw via bad interface design, and podcaster Klaatu (of thebadapples.info) posted this on the discussion.apple.com site, only to have his post removed by Apple. Furthermore, feedback at apple.com/feedback has gone unanswered. The problem remains: there is no way for the average computer user to log-out of their iDisk on public computers. A quick review of any public terminal's browser history could bring up all kinds of interesting things."


Original story on

http://www.thebadapples.info

A friendly reminder from The Bad Apples - This past week Klaatu has been on a campaign to get a log-out button on the iDisk web interface. Feedback has been submitted to Apple regarding this omission, and a post by Klaatu on the discussion.apple.com site has been removed(!) by Apple themselves. This is a little concerning, considering what kind of security issue this really is.

You wouldn't sign your mother up for an email account that had no log-out button, would you? Then why should people be signing up for a service that advertises the ability to log into their server space from any computer, but which features no log-out button? Browsers cache information, including an iDisk; and since there is no way to log out, there is really no way to protect your information unless you are savvy enough to empty a browser's cache and history. Go ahead, hang out at your college computer lab or at the library or just walk into any Apple store, and type into the URL bar the letter "i" and then maybe a "d", and see how many iDisks show up. The link will look like this: http://idisk.mac.com/USERNAME?view=web and it will let you download and delete any file on the person's iDisk.

So this is justa friendly reminder to anyone with a .mac account to be careful when checking your account on someone else's computer, especially a public one! If you do check it on someone's non-Mac, then make sure you have the ability to successfully clear the browser's history and cache. And go to apple.com/feedback and tell them that a company advertising above-average security should have simple security devices like "log out" in place!