Mobile Me username security problem

[MacAhoy]

This is my first post on Mac Rumors, although I've enjoyed reading the site for some years (thanks, arn & friends!)

A poster on Apple's Discussion forums has mentioned that Mobile Me usernames are (in general) visible to the general public, because they are automatically appended to the URL of Mobile Me web galleries.. for example, Emily Parker's Web Gallery address is:
http://gallery.mac.com/emily_parker#gallery

The problem is that this makes Mobile Me e-mail addresses vulnerable to being harvested... for spamming, or worse...
Here's a link to the original post over on Apple's discussion forum:
http://discussions.apple.com/thread.jspa?messageID=7606567

I realize that Web Galleries are password-protectable, but I too feel that this is a security flaw that should be fixed (and it shouldn't require *too* much effort on the part of Apple engineering to do so!). A further concern is that I can't even sign up for a "free" 60-day trial of Mobile Me without handing over credit card info... so now I feel even less confident about signing up for this, especially since my username is obviously connected to my credit card data. Of *course* I want to assume that Apple's mighty servers would NEVER compromise our credit card info, but.... should I really assume this -??.......

I bought my first Mac (a Blueberry iBook ;-) back in 1999 -- ever since then I have been truly grateful for Apple's intelligence in design of both hardware & software... so I am feeling unhappily shocked to be subjected to a basically simple security lapse like this. Although I was never a .Mac customer, I recall that anyone could sign up for a free trial without having to fork over credit card data, which makes plenty of sense to me...

I really want to use Mobile Me -- mostly for the Web Galleries & iDisk, so the potential failure of the "push" services is of less concern for me... But this one little niggling item is stopping me, and I would be thankful if someone here could convince me conclusively that I needn't worry about it. Anybody else feel the same?

(If so, let's put up something on YouTube for their enjoyment -- like: "Dear Apple: I want to sign up for Mobile Me -- AFTER you make my username secure!!! THANKS!!!)

 

[Macsterguy]

I agree...

Also, since everyone has your username for your mobileme account, all they need is your password (not all that hard to get now day's) and they have access to your iDisk, email, iTunes etc....
Everybody have their "one-click purchases" turned on?

 

[wackymacky]

This is my first post on Mac Rumors, although I've enjoyed reading the site for some years (thanks, arn & friends!) ...

Hi,

Some interesting points you made.

I'm not too sure whether your main concern about giving Apple your CC number was on the basis that you hadn’t decided if you wanted the service yet.

This annoys me on principle with any service and almost stopped me signing up. It makes sense for Apple though as you are more likely not ot cancel, than to sign up after two months.

The whole safety of your CC number I don't think is a huge issue.

At least with my bank if I give my number to a established company that has a reasonable degree of safety, I am not liable for any losses if some sod steals the info and uses it to by him self a wife from Russia.

 

[MacAhoy]

Credit Card *in*security is NOT just financial liability..

Hi,

Some interesting points you made.

I'm not too sure whether your main concern about giving Apple your CC number was on the basis that you hadn’t decided if you wanted the service yet.

This annoys me on principle with any service and almost stopped me signing up. It makes sense for Apple though as you are more likely not ot cancel, than to sign up after two months.

The whole safety of your CC number I don't think is a huge issue.

At least with my bank if I give my number to a established company that has a reasonable degree of safety, I am not liable for any losses if some sod steals the info and uses it to by him self a wife from Russia.

WackyMacky -
My feeling is that any linkage of online identifying info (such as my username) with my credit card has potential for unhappy consequences -- even if I never have to pay a penny for unauthorized use of my credit card number. The issue is really that someone who knows my username could potentially gain access to my Mobile Me account online -- pretending to be me -- and change things around, steal data, or abuse data that is *supposed* to be accessible only to me (and Apple, of course)....
Possibly quite nightmarish -- so if someone can wake me up from this particular nightmare, please do!..

 

[wackymacky]

WackyMacky -
My feeling is that any linkage of online identifying info (such as my username) with my credit card has potential for unhappy consequences -- even if I never have to pay a penny for unauthorized use of my credit card number. The issue is really that someone who knows my username could potentially gain access to my Mobile Me account online -- pretending to be me -- and change things around, steal data, or abuse data that is *supposed* to be accessible only to me (and Apple, of course)....
Possibly quite nightmarish -- so if someone can wake me up from this particular nightmare, please do!..

I completely agree about the lack of security with the username. (though a lot of the web based e-mail services that allow you to share photos etc. are no better.

I also won't leave any sensitive information on my idisk as this doesn’t appear to be kept or have information sent in a secure way.

 

[MacAhoy]

So, perhaps our credit card info :really isn't: very safe here..

I completely agree about the lack of security with the username. (though a lot of the web based e-mail services that allow you to share photos etc. are no better.

I also won't leave any sensitive information on my idisk as this doesn’t appear to be kept or have information sent in a secure way.

The difference here is that this is a PAID service that is archiving my financial data. I don't pay anything to Hotmail, so the fact that it's not all that secure doesn't bother me the way this situation does. The more I think about it the more steamed I get -! I really don't want an insecure username to be connectable to my bank!!!

Help!!....

 

[mikes63737]

Buy a gift credit card. Give that number to Apple.

It's not like no one else does this. Lots of other companies use similar business tactics. People are only complaining because it's Apple. They're not perfect either.

Besides, your Apple ID also automatically stores credit card information if you order something from the Apple Store online.

 

[MacAhoy]

Buy a gift credit card. Give that number to Apple.

It's not like no one else does this. Lots of other companies use similar business tactics. People are only complaining because it's Apple. They're not perfect either.

Besides, your Apple ID also automatically stores credit card information if you order something from the Apple Store online.

Thanks for the suggestion -- I was assuming that a gift card would not be accepted for this, but would be quite happy if it is. Do you know for sure that it will work for a Mobile Me subscription?

(It's been a long time since I last tried to use a gift card online, but when I did what I found was that some servers are able to distinguish between a "disposable" gift card and a credit or debit card, that is linked to a bank account.)

I don't complain about this because it's Apple -- and I don't mind that they have been storing my credit card data for at least 5 years now... because those purchases were for *hardware*. What is bothering me in the case of Mobile Me is that I don't want to create a potentially insecure online username that is connected in any way to my credit card info (with a small risk of unauthorized entry into my online Mobile Me account).

So -- I'm looking forward to hearing if a gift card will definitely work! Thanks again!

 

[mikes63737]

I don't know if it will definitely work, but it should. Apple checks to see that it is a valid credit card by placing a $1 hold on it. If you buy one that's for $25, spend about $20 of it, and then give the number to Apple, they'll think it's active because there's at least $1 on it.

But, if they charge you the $99 because you didn't cancel, it'll get denied and they will cancel your service if you don't provide them with a real CC. To get around this, you can buy a MobileMe box one day before your trial expires and then activate it.

EDIT: Oh, and I forgot to mention - it only shows the last 4 digits of your CC to you when you click on My Account. If that's OK, then you can use your real CC.

 

[MacAhoy]

I don't know if it will definitely work, but it should. Apple checks to see that it is a valid credit card by placing a $1 hold on it. If you buy one that's for $25, spend about $20 of it, and then give the number to Apple, they'll think it's active because there's at least $1 on it.

But, if they charge you the $99 because you didn't cancel, it'll get denied and they will cancel your service if you don't provide them with a real CC. To get around this, you can buy a MobileMe box one day before your trial expires and then activate it.

EDIT: Oh, and I forgot to mention - it only shows the last 4 digits of your CC to you when you click on My Account. If that's OK, then you can use your real CC.

Yay, thanks for posting that .png -- very helpful
On the other thread I posted, I was asking if "gift cards" normally have the required "security code" that credit cards do... do you know? I haven't actually used a gift card in a long time so don't recall, but I don't really see why a gift card would need a security code in the first place -- so, if I used a GC with no security code, I expect that Apple would prompt me (i.e. "please fill in the requested information" ) and not activate the subscription. Any ideas?

 

[IgnatiusTheKing]

Instead of giving Apple a credit card for your MobileMe subscription, buy it from Amazon or some other reseller. Then you don't have to worry about your card being compromised if someone does gain access to your account.

The idea of your username being broadcast everywhere never really occurred to me before, and is troubling. At least with iTunes/Apple ID you can use any email address as your login (not necessarily just the @mac.com/@me.com).

 

[MacAhoy]

Instead of giving Apple a credit card for your MobileMe subscription, buy it from Amazon or some other reseller. Then you don't have to worry about your card being compromised if someone does gain access to your account.

The idea of your username being broadcast everywhere never really occurred to me before, and is troubling. At least with iTunes/Apple ID you can use any email address as your login (not necessarily just the @mac.com/@me.com).

I'm missing something ... why do I not have to worry about my card being compromised if someone gets into my MM account, if I buy MM from a reseller? I assume the card info would be stored by both Amazon AND Apple, since as a MM customer I would have a MM account page (like the one that Mike posted above -- see his attached .png image).

The security issue is not so much that my *card* would be stolen or abused -- it's more that MM usernames are apparently not secure, so there is some potential for my Mobile Me IDENTITY being harvested & used by someone who isn't actually Me. (e.g., "hey -- *I* didn't sign up for :THAT OTHER: service/credit card/membership/chain letter!" / "Yes, 'You' did! Here's your billing address & phone #!" / uhhhhhh......???......)

I guess I'd feel better if I knew that at LEAST my MM Account page was quite secure -- how easy is it to gain passwords to this sort of webpage?

 

[IgnatiusTheKing]

I'm missing something ... why do I not have to worry about my card being compromised if someone gets into my MM account, if I buy MM from a reseller? I assume the card info would be stored by both Amazon AND Apple, since as a MM customer I would have a MM account page (like the one that Mike posted above -- see his attached .png image).

If you buy MobileMe from Amazon they send you a box with an access code in it (that's the way .Mac was, anyhow; MobileMe seems to be the same). So you don't have to worry about entering credit card info into your MobileMe account page, you just have to remember to buy a new code every year.

As for worrying about getting your card number stolen from Amazon, well, their security pretty much revolutionized e-commerce, so your info is probably in as good of hands as any when you buy through them.

The security issue is not so much that my *card* would be stolen or abused -- it's more that MM usernames are apparently not secure, so there is some potential for my Mobile Me IDENTITY being harvested & used by someone who isn't actually Me.

I agree that is worrisome, and wish my iDisk and web gallery would just have a "random" number in the URL rather than my username.

 

[MacAhoy]

If you buy MobileMe from Amazon they send you a box with an access code in it (that's the way .Mac was, anyhow; MobileMe seems to be the same). So you don't have to worry about entering credit card info into your MobileMe account page, you just have to remember to buy a new code every year.

As for worrying about getting your card number stolen from Amazon, well, their security pretty much revolutionized e-commerce, so your info is probably in as good of hands as any when you buy through them.



I agree that is worrisome, and wish my iDisk and web gallery would just have a "random" number in the URL rather than my username.

Thanks Ignatius -
I haven't bought any boxed software in a long time, so I am now wondering if I bought MobileMe in a box at the Apple Store in my city (instead of waiting for it to be shipped to me by Amazon), would I get an access code just as I would if I bought it from Amazon? So I input this access code in the window where normally I would input my credit card #? Sounds like a good substitute for an actual credit card # (almost an "alias" for credit cards).

I like your suggestion about having a random number in your iDisk & WebGallery URLs, in place of your username. I was discussing this sort of thing above with Daveoc64, who seems to think there isn't any way for usernames to be replaced by random strings without confusing people who just want to access all the public areas of MobileMe via a simple, easy-to-remember URL (like "gallery.mac.com/emily_parker#gallery" ). So -- why couldn't a friend type in the *insecure* link (e.g., the emily parker URL), and be re-directed by Apple's server to a sort of authorization page, where you'd have to enter a password in order to be forwarded to
the Gallery itself? That way, the insecure, easy-to-remember URL would still be useful for the average person, without granting automatic access to the *real* URL.
I hope this is making sense.... would this work, do you think?

 

[IgnatiusTheKing]

Thanks Ignatius -
I haven't bought any boxed software in a long time, so I am now wondering if I bought MobileMe in a box at the Apple Store in my city (instead of waiting for it to be shipped to me by Amazon), would I get an access code just as I would if I bought it from Amazon? So I input this access code in the window where normally I would input my credit card #? Sounds like a good substitute for an actual credit card # (almost an "alias" for credit cards).

I haven't bought MobileMe yet (still on a .Mac trial account and waiting to see how Apple fixes all the problems so far), so I'm not sure exactly where you enter the access code once you get it from Amazon or any other reseller you can by a box from (I'm assuming this includes the Apple Store). Hopefully someone who has bought one can fill us in on where you enter the code.

One advantage to purchasing from Amazon is the difference in price: $99 from Apple, $79.99 from Amazon.

I like your suggestion about having a random number in your iDisk & WebGallery URLs, in place of your username. I was discussing this sort of thing above with Daveoc64, who seems to think there isn't any way for usernames to be replaced by random strings without confusing people who just want to access all the public areas of MobileMe via a simple, easy-to-remember URL (like "gallery.mac.com/emily_parker#gallery" ). So -- why couldn't a friend type in the *insecure* link (e.g., the emily parker URL), and be re-directed by Apple's server to a sort of authorization page, where you'd have to enter a password in order to be forwarded to
the Gallery itself? That way, the insecure, easy-to-remember URL would still be useful for the average person, without granting automatic access to the *real* URL.
I hope this is making sense.... would this work, do you think?

Maybe instead of a random number that redirects, the default URL for an iDisk could be something like http://idisk.mac.com/123456 (instead of http://idisk.mac.com/username). That would make sure a bookmark would always work, but would just make the URL more secure.

 

[MacAhoy]

I haven't bought MobileMe yet (still on a .Mac trial account and waiting to see how Apple fixes all the problems so far), so I'm not sure exactly where you enter the access code once you get it from Amazon or any other reseller you can by a box from (I'm assuming this includes the Apple Store). Hopefully someone who has bought one can fill us in on where you enter the code.

If you did this in the past with .Mac -- do you recall where you input this access code? I would call up my local Apple store & just ask them, but am suffering from terrible laryngitis right now & can hardly speak!..

One advantage to purchasing from Amazon is the difference in price: $99 from Apple, $79.99 from Amazon.

Yah, I saw that -- would be nice to have the extra $20, although I guess some of that is used up in shipping costs.

Maybe instead of a random number that redirects, the default URL for an iDisk could be something like http://idisk.mac.com/123456 (instead of http://idisk.mac.com/username). That would make sure a bookmark would always work, but would just make the URL more secure.

(Oops, I just realized why my suggestion wouldn't work -- it secures the URL, but doesn't prevent spammers from discovering valid MobileMe e-mail addresses.)
The usefulness of the MobileMe identity is that you can hand it out to friends and know that they will be able to access *all* parts of your MM service... so appending a number, as you suggested, might confuse things (although it would certainly work as a bookmark).
Arg, I'll think more about this *later*...

All I really want from MobileMe right now is the nice Web Gallery interface & the iDisk service, to transfer largish files... Considering how much agony many MM customers are currently experiencing with MM Mail & push services, etc., I would be quite happy if I could have reliable use of JUST an iDisk & a Web Gallery, thanks!!

 

[IgnatiusTheKing]

If you did this in the past with .Mac -- do you recall where you input this access code? I would call up my local Apple store & just ask them, but am suffering from terrible laryngitis right now & can hardly speak!..

I'm on a trial account (and as such, haven't ever paid for the service), but I've read many a thread about how the box contains nothing but a code. MobileMe might be different, but it doesn't seem so.

Yah, I saw that -- would be nice to have the extra $20, although I guess some of that is used up in shipping costs.

Amazon shipping is free on orders over $25. If you don't want to wait, sign up for a trial account while after you order it, then when you get the box you can convert it into a full account.

The usefulness of the MobileMe identity is that you can hand it out to friends and know that they will be able to access *all* parts of your MM service... so appending a number, as you suggested, might confuse things (although it would certainly work as a bookmark).

True, but I think if you were giving friends or clients a link, that would be just as useful. That link could be just about anything, though certainly a number at the end isn't as memorable as a name.

 

[MacAhoy]

I'm on a trial account (and as such, haven't ever paid for the service), but I've read many a thread about how the box contains nothing but a code. MobileMe might be different, but it doesn't seem so.

errrr... I wish I'd gone ahead & signed up for the .Mac trial right before July 11 -- as I remember, those .Mac trials were offered without requiring input of a credit card, for years!.....

Amazon shipping is free on orders over $25. If you don't want to wait, sign up for a trial account while after you order it, then when you get the box you can convert it into a full account.

I don't want to sign up for the trial online only because it obliges me to input my credit card... and as I described earlier, it's not the *card* security I'm most concerned about -- it's my MobileMe *identity* security (which obviously includes multiple items of useful info).

So, I may just wind up going to the local Apple Store & buying the dang box...

 

[TLewis]

Also, since everyone has your username for your mobileme account, all they need is your password (not all that hard to get now day's) and they have access to your iDisk, email, iTunes etc....

The syncing and web authentication appear to be done securely. If you use https, idisk access should also be secure. So, as long as you avoid idisk access via http, your password should hopefully be protected, as long as you follow decent password guidelines (your iTunes and MM passwords are different, I hope). (I'm also assuming that you're smart enough to avoid viruses, trojans, and worms.)

These days, you have to assume that spammers can get access to your username. Unless your username is a bunch of random letters and numbers, it's probably in some spammer's dictionary.

I don't really care if spammers know my username. I'm more concerned about the "insecure" MobileMe web interface. Although the authentication appears to be done securely, everything else seems to be sent unencrypted: email, contacts, calendar info, etc.. While this may not be a big problem at home, I don't think it's acceptable for use in public places (e.g., public wifi). (Note that this is for the web interface; as long as you've configured email correctly, MM IMAP email should be secure.)

 

[MacAhoy]

The syncing and web authentication appear to be done securely. If you use https, idisk access should also be secure. So, as long as you avoid idisk access via http, your password should hopefully be protected, as long as you follow decent password guidelines (your iTunes and MM passwords are different, I hope).

Thanks -- since I'm not a MobileMe customer yet, I haven't seen the iDisk access pages:
what do I need to do to access iDisk via https & not http? Are there secure AND insecure iDisk access pages? I really hope you can teach me about this, because iDisk and Web Gallery are really the ONLY things that I really want out of MobileMe right now-!
thanks!

I'm more concerned about the "insecure" MobileMe web interface. Although the authentication appears to be done securely, everything else seems to be sent unencrypted: email, contacts, calendar info, etc.. While this may not be a big problem at home, I don't think it's acceptable for use in public places (e.g., public wifi). (Note that this is for the web interface; as long as you've configured email correctly, MM IMAP email should be secure.)

I agree about this -- although I have to admit that for all the years I've been using Hotmail (sometimes not too happily), I have been aware that my logging in was the only thing secure about my Hotmail messaging. (Generally I don't email from web-based services like this unless I'm on a known network, though.)

So -- I have learned to be aware that what I am e-mailing is not necessarily secure... but I still assume that my actual Hotmail password itself IS secure. I figure that this is the same arrangement with MobileMe's mail service.. do you agree?

 

[TLewis]

Well, one issue is that Apple's support pages only seem to talk about the unencrypted access methods. Look for the iDisk help here:

http://www.apple.com/support/mobileme/​

Basically, any method that uses "http" instead of "https" means that the "bad guys" can, in theory, see your files as they are transferred to/from the mobileme servers. In practice, you might be safe if you use plain "http" from home; however, using plain "http" is a really bad idea if you're using something like a public access point. To use a more secure access method, assuming that it works, just replace "http" with "https". (This assumes that you're using a computer/laptop owned by you; using a public PC/Mac is a really bad idea, even if https is used.)

While https doesn't seem to work with the MM web pages, it does appear to work for mounting idisk as a drive on your computer. Under OS X, I assume that using https is possible, but I don't know how. Vista supports https, but it appears to be a bit quirky (e.g., reconnect at logon doesn't seem to work). Under XP, using https doesn't work, unless you use the "stunnel" program, which is cumbersome to use (supposedly, however, https works if you've installed Office 2007).

As far as web pictures go, I think you can only access MobileMe's pictures via the web, which means that an unencrypted connection is used. (Sorry, there might be a secure connection from a mac, but I have no clue.) If you don't mind unencrypted connections, you might want to look into making web albums using Google's picasa (free). While it's mainly a PC program, Google now also has a picasa picture uploader for the mac. One nice feature is that you can get special, non-public album URLs, which contain random letters/numbers to help hide your non-public albums from prying eyes (yeah, it's security by obscurity, but it's fine if you don't mind unencrypted connections). These URLs are nice for handing out to family and friends. Google only gives you 1GB of picture space for free, although you can pay to get more space.

So -- I have learned to be aware that what I am e-mailing is not necessarily secure... but I still assume that my actual Hotmail password itself IS secure. I figure that this is the same arrangement with MobileMe's mail service.. do you agree?

Well, it appears that the initial password authentication is secure, as well as doing a MobileMe sync (on a PC -- I assume that this is also true on a mac). However, I don't know if this is true for all cases. It does sound similar to the way that hotmail works.

Side note: while gmail has supported https for a while, they've just made it easier to use it:

http://lifehacker.com/399229/gmail-offers-always+secure-option​

 

[MacAhoy]

While https doesn't seem to work with the MM web pages, it does appear to work for mounting idisk as a drive on your computer. Under OS X, I assume that using https is possible, but I don't know how.

Well, that's what I need to know, 'cause I'm not a Windows user. I do want to upload files securely to iDisk -- can you give me an example of an iDisk that I can try accessing with https? (I'm not a MobileMe customer yet, so don't have my own iDisk)

As far as web pictures go, I think you can only access MobileMe's pictures via the web, which means that an unencrypted connection is used. (Sorry, there might be a secure connection from a mac, but I have no clue.)

I really wish I could for sure upload photos to a MobileMe Web Gallery securely! Is that just not possible?

If you don't mind unencrypted connections, you might want to look into making web albums using Google's picasa (free). While it's mainly a PC program, Google now also has a picasa picture uploader for the mac. One nice feature is that you can get special, non-public album URLs, which contain random letters/numbers to help hide your non-public albums from prying eyes (yeah, it's security by obscurity, but it's fine if you don't mind unencrypted connections). These URLs are nice for handing out to family and friends. Google only gives you 1GB of picture space for free, although you can pay to get more space.

I have used Picasa Web Albums, and generally liked it -- except for the fact that Google specifically states that anything I upload is usable by Google for any purpose of their own!....

Thanks for your help.

 

[IgnatiusTheKing]

On a Mac, you upload pictures to MobileMe galleries using iPhoto; you don't use a browser at all.

 

[TLewis]

Well, that's what I need to know, 'cause I'm not a Windows user. I do want to upload files securely to iDisk -- can you give me an example of an iDisk that I can try accessing with https? (I'm not a MobileMe customer yet, so don't have my own iDisk)

Sorry, I don't know of any such disks. However, it does appear that OS X does work with with https:

http://discussions.apple.com/thread.jspa?threadID=1280777​

I really wish I could for sure upload photos to a MobileMe Web Gallery securely! Is that just not possible?

No idea, sorry. However, even if you could upload securely, does OS X provide another way of sharing photos except via a browser? If your friends/customers have to view your photos via the web, I don't think it's done securely.

 

[Daveoc64]

On a Mac, you upload pictures to MobileMe galleries using iPhoto; you don't use a browser at all.

Yes, but viewing them is done through a web browser. So you might upload them using https, but the second it hits the web your pictures will be on a public http site.