Pretty Poor Security, Apple!

Apple just emailed me someone else’s account name and password.

On Monday I got in touch with Apple’s MobileMe “Chat Support” service. I was having a problem with my MobileMe account. Specifically, I’d deleted an event in my local calendar, and it had disappeared from the MobileMe calendar, too, but it was still showing up in the public calendar feed. (I use the public calendar feed in Google Calendar so I can use Google’s handy “mail me a daily agenda at 5am” facility.)

After the usual couple of hours trying to convince someone that I knew what I was talking about and that there really was a problem — goodness, I wish Shibboleet really worked — they decided to escalate my call to the “Senior Advisor Team”.

On Wednesday, I got a mail from one of the Senior Advisor Team. Well, I say “I”. The first line of the email surprised me a bit:

Dear Steve,

Erm. I double-checked the headers. Oh, okay. The email was sent to “stevexxx@me.com”, some other MobileMe user. And it had a case number that I didn’t recognise. I kept reading. The mail basically says that the Senior Advisor wanted to log into Steve’s MobileMe account, and took him through the necessary steps. And here’s where I started worrying about the security:

3. Click Password Settings and change your password to this: can7rice7bush

(I’ve altered that password just in case, by the way)

So, you can see the problem. Why am I being Cc’d in on this mail? If Steve doesn’t notice that another customer’s being Cc’d, or assumes that I work for Apple (why else would a Senior Advisor Cc: me?), then he’ll probably change his account password to that password. At which point I have his username (from his MobileMe email address) and his password.

That gives me read and write access to his calendar, his email, his iDisk, his photos, and any websites he publishes using the MobileMe system, among other things. If he’s got an iPhone registered in MobileMe it also gives me permission to locate him using its GPS and remotely wipe his phone’s memory.

Not good, Apple. Not good.

I replied pretty sharpish:

Hi XXX,

Sorry, am I missing something? I’m a little confused as to why I’m being copied in on this email asking another customer to change his password.

Thanks,

Matt

…but although I sent that before 7am on Wednesday, I’ve heard nothing back from Apple, more than two days later.

So, several hours of time invested so far, and I still don’t know why there’s a deleted event still showing in my public calendar feed, but nowhere else. On the plus side, there’s a fair chance I can steal someone else’s identity and use his calendar instead. Not that I would, of course.

I decided to post this because I’m concerned at Apple’s poor security here. What if it had been the other way round, and Steve had been less than honest? I could be sitting here with a dead phone as Steve rifled through my private email and changed my websites.

So, it feels fairly “public interest” to post about this, especially as Apple haven’t even bothered to get back to me about it, and as the email in question looks like a standard form mail. You might want to bear the possibility of mistakes like this in mind before you contact Apple’s MobileMe support. And if you do receive a mail from MobileMe Support asking you to change your password to something specific, at least check who’s been Cc’d in, to make sure it’s only Apple employees.

Here’s the full text of the scary email in question, with names obscured to protect individuals and, specifically, Steve’s account. I haven’t bothered with the full headers; suffice it to say I checked them carefully and the mail came direct from an Apple mail server to the receiving mail system at my end, and is genuine:

From: XXX@apple.com
Subject: Re: MobileMe Request Regarding XXX: Sync; Follow-up: XXX
Date: 10 November 2010 02:50:54 GMT
To: XXX@me.com
Cc: Matt Gibson XXX@XXX

Dear Steve,

Thank you for contacting MobileMe support, my name is XXX, I am a MobileMe Senior Advisor, and your case was escalated to my team, I will be assisting you with your issue. I sincerely appreciate your patience as the MobileMe Support team has investigated the issue you reported. I am sorry that the issue is not yet resolved. I would like your permission to log in to your account to test the issue myself. Rest assured that I will not do anything other than test the issue affecting your account, and I will not be able to see your full credit card number. I will protect your privacy in accordance with the Apple privacy policy:

http://www.apple.com/legal/privacy

Please follow these steps: 

1. Back up any important personal data in your MobileMe account. Here is a helpful article to get you started: 

How to back up MobileMe data
http://support.apple.com/kb/HT1813

2. After you have backed up your data, go to http://www.me.com/account and log in using your member name and current password. 

3. Click Password Settings and change your password to this: can7rice7bush 

4. Click Save and then click “logout” in the upper-right corner. Wait at least ten minutes before logging back in. 

5. Choose System Preferences from the Apple menu and click MobileMe, then click the Sign Out button. 

6. In the Password field, enter the new password I gave you in step 3. (If you have multiple accounts, be sure to update the correct account.) Click the Sign In button to verify that your password is properly accepted. 

7. Reply to this email to provide the following:

- Your permission to allow me to access your account

- Confirmation that you have successfully changed the password in the MobileMe Password Settings and in the System Preferences

-Is data loss in all clients or just some (iCal, me.com, Outlook), please specify?:

-Does data loss affect all calendars/events, or just some? (please be specific):

-Examples of the missing Calendar Events or Titles (if full calendars are missing):

I will log in to your account and test the issue, and then I will reply to you. After that, you should change your MobileMe password to one that only you know. Be sure to choose a password that would be hard for other people to guess. 

Thank you for your patience. I look forward to resolving this issue for you. 

Sincerely,

XXX X.
MobileMe Senior Advisor
http://www.apple.com/support/mobileme/ww
http://www.me.com/help

I work Friday-Tuesday 12:00 PM to 9:00 PM Pacific Time

Thank you for allowing me the opportunity to assist you. You may receive an AppleCare survey email; any feedback you provide would be greatly appreciated.