Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Weird Me.com "spam"?

d21mike said:
It seems to me that USERID's have been used for this type of thing for a very long time (easy to implement). So it is not new. It is just that the bad guys have gotten a lot more persistance over the years.

However, they could follow the way Google Calendar works. When you create your Google Calendar you are provided with a VERY LONG URL to give out to people that want to share your calendar and it does not have your USERID as part of the URL. Maybe they could offer both options. A simple (but less secure) URL and the Longer more secure URL.
Click to expand...

Thanks for this suggestion, d21mike!

I had forgotten that is what was done with Google's Picasa Web Album service, actually. (in fact I posted a very lengthy slideshow on that service a couple of years ago, and I now recall that the URL for this was indeed extremely long... quite a good slideshow service, as it provides much larger images than Yahoo slideshows, for instance.)

So there is some hope that MobileMe usernames could be made less vulnerable in similar fashion..?
(Would make me feel much more willing to hand over my credit card info, if I weren't worrying about someone potentially gaining access to my MobileMe account via an insecure username -!)
 
Daveoc64 said:
I'm currently doing a Computer Science degree, so a large part of it is programming.

The problem is not anything to do with the security of the gallery.

The OP (and others) were concerned that people could simply look at the name of every MobileMe gallery and automatically gain access to a huge amount of guaranteed to work e-mail addresses for SPAM purposes.

If http://gallery.me.com/emily_parker is a valid gallery (i.e. the user is paying for their MobileMe subscription), then emily_parker@me.com (or @mac.com) is a valid address that could be spammed.
Click to expand...


Hmmmm..
1. I'm not the OP (whooleytoo is), but I am the person who first raised this particular issue of username insecurity in the present thread. (see my first post above, on page 1.) Your description of the manner in which spammers could obtain valid MobileMe addresses by simply looking at Web Gallery URLs is the same as what I wrote about in my first post.

2. I did not say that the problem was "anything to do with the security of the gallery," so I guess we are in agreement there.
 
I too have experienced an influx of spam under my .mac/me account in the last few days. I usually file junk in a junk folder so I can try and figure out what rules to set up. In June I received a total of 10 junk e-mails. This month, this past 5 days actually I've received 18 pieces.
 
Daveoc64 said:
It's one possibility, but it seems to complex for MobileMe.
Click to expand...

What is complex about it?
I think the way this was implemented on Picasa Web Albums functioned no differently than the current
MobileMe style of URL ... in other words, not different
for the average user, who just clicks on a longer URL, that is too long to be useful for spammers.
(oh, you wanted a short, memorable link for people such as your Mum... wouldn't an alias accomplish that?)
 
MacAhoy said:
What is complex about it?
I think the way this was implemented on Picasa Web Albums functioned no differently than the current
MobileMe style of URL ... in other words, not different
for the average user, who just clicks on a longer URL, that is too long to be useful for spammers.
(oh, you wanted a short, memorable link for people such as your Mum... wouldn't an alias accomplish that?)
Click to expand...

Well no, but at the end of the day Apple is pushing features that are very public and not at all complex.

My website would be at web.mac.com/username

You can't turn that into a long link without it being annoying.

You'd have to seriously change how the service is designed to eliminate the issue.
 
Daveoc64 said:
Well no, but at the end of the day Apple is pushing features that are very public and not at all complex.

My website would be at web.mac.com/username

You can't turn that into a long link without it being annoying.

You'd have to seriously change how the service is designed to eliminate the issue.
Click to expand...

Dave,
your reply begins: "Well no..."
meaning no *what*??...
Is this your reply to my question about use of aliases?
(i.e., a shorthand substitute for a lengthy URL)?

It seems that you're repeating things you said above, so I don't know how to dialogue about this further with you. Perhaps if you have a look at the Google examples mentioned (Google Calendar, Picasa Web Gallery) you could see what you think of this particular solution.
Although (as I said earlier) I don't think that there's only one way to deal with this issue... I realize you don't agree with that, so I'll leave it there for now.
 
MacAhoy said:
Dave,
your reply begins: "Well no..."
meaning no *what*??...
Is this your reply to my question about use of aliases?
(i.e., a shorthand substitute for a lengthy URL)?

It seems that you're repeating things you said above, so I don't know how to dialogue about this further with you. Perhaps if you have a look at the Google examples mentioned (Google Calendar, Picasa Web Gallery) you could see what you think of this particular solution.
Although (as I said earlier) I don't think that there's only one way to deal with this issue... I realize you don't agree with that, so I'll leave it there for now.
Click to expand...

Google Calendar and Picasa Web Gallery aren't the same as MobileMe.

MobileMe offers:

1 name for you (to login)
1 name for your web page(s)
1 name for your e-mail
1 name for your public iDisk
1 name for your MobileMe gallery

The problem with using 1 name is that you must accept that people can access all the parts of the system if they know it from using just one of them.


Google Calendar's toggle of making the calendar "public" or not is an interesting idea. I don't really think it would work with MobileMe's services. An individual calendar is totally different to a space designed for sharing with people. I don't want people to see my calendar, but my public iDisk is just that - public. I see no way to make it truly public without revealing the username.

Looking at Picasa Web Albums, their solution isn't all that great. It could easily be ignored by a spammer.

Oh and sorry, I wasn't very clear. I did mean the "well no" to be in response to the alias thing.
 
Daveoc64 said:
Google Calendar and Picasa Web Gallery aren't the same as MobileMe.

MobileMe offers:

1 name for you (to login)
1 name for your web page(s)
1 name for your e-mail
1 name for your public iDisk
1 name for your MobileMe gallery

The problem with using 1 name is that you must accept that people can access all the parts of the system if they know it from using just one of them.


Google Calendar's toggle of making the calendar "public" or not is an interesting idea. I don't really think it would work with MobileMe's services. An individual calendar is totally different to a space designed for sharing with people. I don't want people to see my calendar, but my public iDisk is just that - public. I see no way to make it truly public without revealing the username.

Looking at Picasa Web Albums, their solution isn't all that great. It could easily be ignored by a spammer.

Oh and sorry, I wasn't very clear. I did mean the "well no" to be in response to the alias thing.
Click to expand...

OK -- so "well no.. in response to the alias thing":
would you mind explaining *why* no?

And regarding the Picasa Web Albums solution "not being all that great... easily ignored": so what does this ignoring accomplish? or what risk is there to the user if a spammer "ignores" ... what? :-o

I do understand the point you have been repeating, that a "1 name" sort of master key is by nature "public." I'm sure you're aware of the entire sub-specialty of computer science that deals only with security of "public" keys, & such... so I continue to assume that some security could be overlaid (if you will) on top of this "master key" sort of scheme.

In any event -- the *specific* thing that DOES need protecting is access to a user's actual MobileMe account data... so surely there are ways of enhancing the security of this one item, even if the username itself is publicized. (I seem to remember there is also a password access feature that is applicable to the Public iDisk, for instance..)
 
MacAhoy said:
OK -- so "well no.. in response to the alias thing":
would you mind explaining *why* no?

And regarding the Picasa Web Albums solution "not being all that great... easily ignored": so what does this ignoring accomplish? or what risk is there to the user if a spammer "ignores" ... what? :-o

I do understand the point you have been repeating, that a "1 name" sort of master key is by nature "public." I'm sure you're aware of the entire sub-specialty of computer science that deals only with security of "public" keys, & such... so I continue to assume that some security could be overlaid (if you will) on top of this "master key" sort of scheme.

In any event -- the *specific* thing that DOES need protecting is access to a user's actual MobileMe account data... so surely there are ways of enhancing the security of this one item, even if the username itself is publicized. (I seem to remember there is also a password access feature that is applicable to the Public iDisk, for instance..)
Click to expand...

I think you're turning MobileMe into something it's not.

It's a service aimed at consumers. It's not designed for top secret data. A username on it is not a "public key".

It's not a key at all. It's a way of locating data - associated with a person. That is also why aliases would not work. Your MobileMe user name is your name on the web, having different names for different parts of the service would make that experience fall apart. I know that I can find my friend's MobileMe iDisk, Gallery, Web Page etc. just by knowing their user name. Aliases would make that experience inconsistent.

As for Picasa's security being "ignorable", as far as I can tell it just places a robots file in your gallery which stops automated systems (like search engines) looking at such a site. These can be ignored and I'd imagine anybody looking for e-mail addresses for SPAM would just do that. On closer inspection, it seems to just remove the link from Google search engines.

The issue with all of these sites is that the username is used for authentication and as an identity. It's one of their strongest points, but also a big flaw in many ways - but there's very little you can do to overcome the issue of spammers abusing the system.
 
Daveoc64 said:
I think you're turning MobileMe into something it's not.

It's a service aimed at consumers. It's not designed for top secret data. A username on it is not a "public key".

It's not a key at all. It's a way of locating data - associated with a person. That is also why aliases would not work. Your MobileMe user name is your name on the web, having different names for different parts of the service would make that experience fall apart. I know that I can find my friend's MobileMe iDisk, Gallery, Web Page etc. just by knowing their user name. Aliases would make that experience inconsistent.

As for Picasa's security being "ignorable", as far as I can tell it just places a robots file in your gallery which stops automated systems (like search engines) looking at such a site. These can be ignored and I'd imagine anybody looking for e-mail addresses for SPAM would just do that. On closer inspection, it seems to just remove the link from Google search engines.

The issue with all of these sites is that the username is used for authentication and as an identity. It's one of their strongest points, but also a big flaw in many ways - but there's very little you can do to overcome the issue of spammers abusing the system.
Click to expand...

So far I haven't turned MobileMe into anything.. haven't got those kind of Harry Potter skills ;)

(I used the terms "public key" in a rather non-technical fashion, by the way -- as a shorthand for the way in which you described it, as basically a locator of data.. sorry if this muddied things.)

Of course MobileMe is aimed at consumers. So is every banking website. If a bank can securely prevent unauthorized access to its customers' data, I would assume & expect that Apple could do so as well. Being oriented to consumers doesn't relieve Apple of reasonable responsibility to prevent abuse of customer data -- especially sensitive financial data that might be obtained through unauthorized access to customer accounts. (By that I'm referring to the actual webpage which displays customer data such as name, contact info, etc.)

MacAhoy said:
In any event, the *specific* thing that DOES need protecting is access to a user's actual MobileMe account data... so surely there are ways of enhancing the security of this one item, even if the username itself is publicized.
Click to expand...

Since I'm not a MobileMe customer -- yet -- I haven't seen a MobileMe account webpage.. but it appears from your signature that you are a current MM customer, so perhaps you can tell us: if an unauthorized person were to gain access to your MM account (yes, I know that is a big assumption, so stay with me here) -- is there any possibility of such a person editing or revising your financial data, such as your credit card #? Could they establish false contact info for "you"?
 
MacAhoy said:
Since I'm not a MobileMe customer -- yet -- I haven't seen a MobileMe account webpage.. but it appears from your signature that you are a current MM customer, so perhaps you can tell us: if an unauthorized person were to gain access to your MM account (yes, I know that is a big assumption, so stay with me here) -- is there any possibility of such a person editing or revising your financial data, such as your credit card #? Could they establish false contact info for "you"?
Click to expand...

Like most sites, the billing information shows the last 4 of your credit card number. But it also shows you billing address and other somewhat private information.

Of course this is pretty much that same as any site if they can find out your userid/password. In this case they would know your userid but not your password.
 
d21mike said:
Like most sites, the billing information shows the last 4 of your credit card number. But it also shows you billing address and other somewhat private information.

Of course this is pretty much that same as any site if they can find out your userid/password. In this case they would know your userid but not your password.
Click to expand...

Thanks, Mike -- I quite appreciate being able to know what is shown on that page.
What other private info is displayed? (obviously I'm not asking you to specify your particular details -- just the nature of the info: i.e.: phone numbers? what else is obligatory?
(I use a mailing address for my credit card, so at least I don't reveal my physical address when using my card.)

Do you think there is any risk at all of someone unauthorized, who knows your username from MobileMe's public services, to gain entry to your account -- AND to change your private info? (for example, replacing your contact info woukd be quite harmful...)

I'm asking because another poster suggested (on a different thread) that obtaining passwords is not actually that hard to do... What do you think about that, also?

Thanks!
 
MacAhoy said:
Thanks, Mike -- I quite appreciate being able to know what is shown on that page.
What other private info is displayed? (obviously I'm not asking you to specify your particular details -- just the nature of the info: i.e.: phone numbers? what else is obligatory?
(I use a mailing address for my credit card, so at least I don't reveal my physical address when using my card.)

Do you think there is any risk at all of someone unauthorized, who knows your username from MobileMe's public services, to gain entry to your account -- AND to change your private info? (for example, replacing your contact info woukd be quite harmful...)

I'm asking because another poster suggested (on a different thread) that obtaining passwords is not actually that hard to do... What do you think about that, also?

Thanks!
Click to expand...

That's about it. Your billing address, phone number. Not sure of anything else. I am not sure how much damage could be caused by logging into my account and changing my CC Number and address and then say adding additional storage on a bad CC. Also, maybe logging into iTunes and buying movies and and music. I think I would be able to challenge that activity like I would if someone stole my cc and used it to buy something. Of course it would be a hassel.


REVISION: Maybe should not have mentioned iTunes. I use a different login for that. However, maybe others here would be using their MM Account for iTunes as well.
 
d21mike said:
That's about it. Your billing address, phone number. Not sure of anything else. I am not sure how much damage could be caused by logging into my account and changing my CC Number and address and then say adding additional storage on a bad CC. Also, maybe logging into iTunes and buying movies and and music. I think I would be able to challenge that activity like I would if someone stole my cc and used it to buy something. Of course it would be a hassel.


REVISION: Maybe should not have mentioned iTunes. I use a different login for that. However, maybe others here would be using their MM Account for iTunes as well.
Click to expand...

So it seems that your CC # is stored online, actually.. kinda surprises me since it's only billed once a year -- you wouldn't have any reason to need frequent access to it in your MM account, I would think..

As I recall from the first page of the MM sign-up website, you do have to supply an existing e-mail address, too.. is that listed on your MM account info, along with your phone # & so forth?

I don't really worry so much about unauthorized purchases as I do about simple ID theft -- anyone who gets to see all this info in one place can then pretend to be me in other places.

So what's your opinion (if you have an informed one) about the risk of password theft? Could a person who knows your MM identity also get your password, or is that just not possible?
 
MacAhoy said:
So it seems that your CC # is stored online, actually.. kinda surprises me since it's only billed once a year -- you wouldn't have any reason to need frequent access to it in your MM account, I would think..

As I recall from the first page of the MM sign-up website, you do have to supply an existing e-mail address, too.. is that listed on your MM account info, along with your phone # & so forth?

I don't really worry so much about unauthorized purchases as I do about simple ID theft -- anyone who gets to see all this info in one place can then pretend to be me in other places.

So what's your opinion (if you have an informed one) about the risk of password theft? Could a person who knows your MM identity also get your password, or is that just not possible?
Click to expand...

Not sure you should rely to heavily on my opinion but I will give it anyway.

1. I am registered on a number of sites and they all seem to store my CC number but only show the last 4 as I said earlier. However, when they do the auto re-new they usually tell you in advance (not sure MM will do that). However, you can go in and change your CC at any time (not sure about MM). If your CC expires then you would be required to update it.

2. Yes, your email address is in your Profile.

3. If you use a STRONG PASSWORD (which is recommended) then it would be hard for someone to guess and get into your records. However, if someone got a hold of the MM Account Database then of course we would all be exposed. But this would be the same for pretty much any site. This is very rare but I have seen it in the news.

However, I think you are coming from the standpoint that in this case they have 50% of the information (your USERID). So in this case I would think it more important that you have a STRONG PASSWORD. Which I think would make your information pretty safe.
 
d21mike said:
Not sure you should rely to heavily on my opinion but I will give it anyway.

1. I am registered on a number of sites and they all seem to store my CC number but only show the last 4 as I said earlier. However, when they do the auto re-new they usually tell you in advance (not sure MM will do that). However, you can go in and change your CC at any time (not sure about MM). If your CC expires then you would be required to update it.

2. Yes, your email address is in your Profile.

3. If you use a STRONG PASSWORD (which is recommended) then it would be hard for someone to guess and get into your records. However, if someone got a hold of the MM Account Database then of course we would all be exposed. But this would be the same for pretty much any site. This is very rare but I have seen it in the news.

However, I think you are coming from the standpoint that in this case they have 50% of the information (your USERID). So in this case I would think it more important that you have a STRONG PASSWORD. Which I think would make your information pretty safe.
Click to expand...

Thx Mike.
Where is a good place online to get "STRONG PASSWORD" guidance? I have seen it at Yahoo Mail & similar sign-up pages, but I don't need to sign up for anything else just now..... ;)

Also --
I just realized why a gift card may not work at any point in this process: gift cards don't have a billing address, do they? (or security codes?)
 
MacAhoy said:
Thx Mike.
Where is a good place online to get "STRONG PASSWORD" guidance? I have seen it at Yahoo Mail & similar sign-up pages, but I don't need to sign up for anything else just now..... ;)

Also --
I just realized why a gift card may not work at any point in this process: gift cards don't have a billing address, do they? (or security codes?)
Click to expand...

Not familiar with Gift Cards.

Search Google for more help. But here is a free web page from MS.

http://www.microsoft.com/protect/yourself/password/checker.mspx

Also, last night I was reading on the App Store for the iPhone about SplashID (sure there are more) and it has a feature to create a STRONG PASSWORD for you. Not sure I will use them but I am looking into something like it to store confidential information. PASSWORD creator is extra.

http://www.splashdata.com/splashid/index.asp
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back