If you’re using iDisk, the Internet hard drive feature of Apple’s iTools service that runs under Mac OS X 10.1, be warned: the latest version of the next generation operating system appears to be less secure than previous versions of Mac OS X.
iDisk support is now based on the Internet-standard HTTP Web server extension WebDAV, a multiplatform networking protocol that works on various flavors of Windows and Linux. In fact, Apple says that versions of Windows and Linux running a WebDAV client can access iDisks the same way Mac users can.
Previously, if you mounted your iDisk on your desktop but didn’t actively use it, Apple’s servers would log you off after a period of inactivity. That changes with iDisk under 10.1 — now you can have your iDisk mounted indefinitely.
All that sounds good. However, according to a message at the
Open Door Networks Web site, in Mac OS X 10.1 your iDisk is usually accessed using the WebDAV protocol rather than the Apple Filing Protocol (AFP) used previously. Like AFP, WebDAV isn’t supposed to send your password over the Internet, which means it should be as secure as AFP.
However the implementation of WebDAV in Mac OS X 10.1, as used with iDisk, violates the WebDAV specification and sends your password in a way that makes it is easy for hackers to discover, according to the folks at Open Door Networks, which specializes in Mac Internet security and file sharing. Using iDisk under Mac OS X 10.1 could easily result in disclosure of your password and full access to your iDisk by others, they say.
“Any hacker who can see the data being sent between your machine and the iDisk server can easily extract your password and other information needed to access your iDisk,” Open Door Networks says. “The hacker would then have complete read/write access to your iDisk, including your personal Web site pages and any other files and information you’ve placed there. And since your iDisk password is also used for your mac.com e-mail account, the hacker would also have access to that account as well. If you select ‘iDisk’ from the ‘Go’ menu or click on the iDisk icon in the Finder, your iDisk will be vulnerable.”
There is a workaround, though it’s a bit awkward. To connect to iDisk the old (and secure) way under Mac OS X 10.1, you should use “Connect to Server” under the “Go” menu and enter the address: afp://idisk.mac.com. “Doing so is highly recommended until Apple comes out with a fix for this problem (of which they’re well aware),” Open Door Networks says.