Tag Archive for MobileMe

Apple’s MobileMe: A New Spammer Resource

Users of, that is, subscribers to, Apple’s MobileMe service have found themselves getting more spam than usual, as well as some “phishing” scams aimed directly at them.  And spammers are getting fewer bouncebacks.

The problem lies in the iDisk online file storage service every subscriber is provided with. The service comes with a “public” folder which cannot be hidden or deleted. Every public folder starts with the address http://idisk.mac.com/ and then it’s followed by their username and “-Public”. A programmer can write code to automatically generate random user names using words and names straight out of a digital dictionary.

“Why do this with iDisk’s public folder space?”, you ask.

iDisk: A Sample Public Folder

iDisk: A Sample Public Folder

The username associated with a public iDisk folder is also the first half of their email address assigned to them with the MobileMe service.  The second half of their address is either @me.com or @mac.com.  This hack allows a spammer to determine the validity of email address. Any http://idisk.mac.com/username-Public address that doesn’t result in a “Account Error: Inactive” message — as the link above probably will — means that they’ve found a legitimate account. A legitimate account would come up with a page as shown in the picture at right.

Furthermore, if the public folder shows that there are files stored in that location, as the sample picture shows, a spammer could tailor a message referring to that file in an effort to get the user to reply and reveal personal information.

Imagine if you used this service: You upload some of your files or photos to it, and then, a few days or weeks later you get an email mentioning one or more of your files by name. If you hadn’t thought about your “public folder” being “public”, you might take the message very seriously. Even more so if the sender claimed to represent Apple. (Of course that spammer would be breaking the law by falsely identifying themselves. See my article “Spammers Get CANned”.)

Anyone Can See The Files?

Anyone can see or read the names of your public files, assuming they find your public folder, but they won’t be able to access, open, or download them unless they take a guess at your login information, too; so make sure you use a good password and not your birthday or pet’s name.  They can’t upload anything to your folder either, unless they figure out your login info.

Simply said, Apple’s MobileMe iDisk service gives spammers a handy way to determine valid email addresses, so they get fewer, if any, bouncebacks and undeliverable messages. The names of files stored on iDisk could be used to make the spammer or phishers message appear legitimate.

Phishing. For those unfamiliar with this term, simply stated, it is an email message designed to get the recipient to reveal personal information such as account numbers or login information. The sender poses as well-known service or someone offering an enticement to respond. Popular targets have been eBay, PayPal, and online banking users.

In the iDisk problem discussed here, the phisher can determine if a username and email address exists. Furthermore, If the account owner stores files publicly on the service, the names of files can be referred to in a phishers email message to shore up their credibility.

Post Comments or Questions with the link below. Keep up-to-date with Skylarking: By Email or RSS Newsfeed or on Twitter. You can also send questions with my email form. I’m looking forward to hearing from you.


Steve Jobs on the MobileMe mess

MobileMe logo

MobileMe logo

An apologetic email attributed to Steve Jobs regarding Apple’s troubled MobileMe service was leaked today.

Team,

The launch of MobileMe was not our finest hour. There are several things we could have done better:

  • MobileMe was simply not up to Apple’s standards – it clearly needed more time and testing.
  • Rather than launch MobileMe as a monolithic service, we could have launched over-the-air syncing with iPhone to begin with, followed by the web applications one by one: Mail first, followed 30 days later (if things went well with Mail) by Calendar, then 30 days later by Contacts.
  • It was a mistake to launch MobileMe at the same time as iPhone 3G, iPhone 2.0 software and the App Store. We all had more than enough to do, and MobileMe could have been delayed without consequence.

We are taking many steps to learn from this experience so that we can grow MobileMe into a service that our customers will love. One step that I can share with you today is that the MobileMe team will now report to Eddy Cue, who will lead all of our internet services: iTunes, the App Store and, starting today, MobileMe. Eddy’s new title will be Vice President, Internet Services and he will now report directly to me.

The MobileMe launch clearly demonstrates that we have more to learn about Internet services. And learn we will. The vision of MobileMe is both exciting and ambitious, and we will press on to make it a service we are all proud of by the end of this year.

Steve

MobileMe, released on July 9, 2008, was Apple’s replacement for their .Mac service (released Jan. 5, 2000). MobileMe, like .Mac before it, was a package or suite of services.  All .Mac subscribers were upgraded to MobileMe.

For $119 per year MobileMe users have access to services such as:

  • 20 GB of online storage
  • Mail: MobileMe includes an @me.com email address (previous .Mac users also keep their @mac.com address and can use either as both addresses are linked). When a message is received it is sent directly to all the user’s devices using Push Mail. Supported devices include the Apple iPhone, iPod Touch, Apple Mail on Mac OS X, and Microsoft Outlook on Microsoft Windows.
  • Address Book and Calendar: If a user makes a change to a contact or event on one device it will automatically synced to the MobileMe servers and, by extension, all the user’s other devices. Supported devices include the Apple iPhone, Address Book and iCal on Mac OS X, or Microsoft Outlook on Microsoft Windows.
  • Photo Gallery: Photos can be uploaded in the web browser at me.com, synced by iPhoto or Aperture on Mac OS X or by sending it from the iPhone and iPod Touch.
  • iDisk: An online storage repository accessible via a web browser at me.com, Finder on Mac OS X, or as a remote disk in Microsoft Windows. It also allows sharing of files by placing them in the iDisk Public Folder.
  • iWeb Publish: Users of Mac OS X 10.5 or later can use the iLife 08 application iWeb to publish websites hosted on their MobileMe account, either to a domain name that the user controls or a page on the me.com website.

What Problems Were/Are There

One of the most vexing problems suffered by users of MobileMe was the poor functioning of the synchronization service for the address book which often resulted in duplicate entries or lost entries, an email service outage that lasted four days, and generally choppy service access.