VULHUB ™

A configuration-related vulnerability is reported to exist in certain MacOS tools which may expose iDisk authentication credentials to attackers with the capability to sniff network traffic that is passed between a client system and the Mac.com service. The iDisk service password is also used by the Mac.com service. Users of both services can use Mail.app to retrieve mail from Mac.com. Authentication credentials for the iDisk service are sent using HTTPS over WebDAV, which ensures that the communications between client and server are encrypted. However, Mail.app does not appear to use the same security measure by default when communicating with Mac.com. While Mail.app can be configured to communicate with mail servers using SSL, this option does not appear to be enabled in the default Mail.app configuration. STARTTLS is supported on the server-side by Mac.com. An attacker may potentially take advantage of this exposure to gain unauthorized access to both Mac.com and iDisk, since...

A configuration-related vulnerability is reported to exist in certain MacOS tools which may expose iDisk authentication credentials to attackers with the capability to sniff network traffic that is passed between a client system and the Mac.com service. The iDisk service password is also used by the Mac.com service. Users of both services can use Mail.app to retrieve mail from Mac.com. Authentication credentials for the iDisk service are sent using HTTPS over WebDAV, which ensures that the communications between client and server are encrypted. However, Mail.app does not appear to use the same security measure by default when communicating with Mac.com. While Mail.app can be configured to communicate with mail servers using SSL, this option does not appear to be enabled in the default Mail.app configuration. STARTTLS is supported on the server-side by Mac.com. An attacker may potentially take advantage of this exposure to gain unauthorized access to both Mac.com and iDisk, since the credentials are shared between the two services.