My Mac’s security is being compromised by .Mac
Published on 17 Nov 2007 at 9:19 pm.
7 Comments.
Filed under apple, mac, mac os, security.
I’m not a security expert by any means, so it is with great consideration that I bring up anything security related. While a feature I don’t understand may not necessarily be a security problem, one part of Leopard behaves in such an unexpected way that I can only call it a security problem – .Mac is at the center of it.
As you may have already read here, I won’t be renewing my .Mac membership. To get a jump on not relying on it any longer I was sure not to add my .Mac account to the .Mac preference pane. I do however need the email a bit longer so I did add my .Mac account to Mail.app on my iMac and new MacBook. This had the side effect of filling in my account details in the .Mac preference pane, something I didn’t want. Incidentally, clearing the fields in the .Mac preference pane disables my .Mac account in Mail.app
At least I’m not signed in, right?
Now, here’s the problem. File sharing no longer asks me for my machine password. When I click on my iMac from my MacBook I’m signed in using my .Mac account. Note that both machine are on my local network, this is not happening from a remote location.
Upon signing in to .Mac I confirm on both machines that “Back to My Mac” is not turned on.
Not only is this completely unexpected (that adding an email account to two machines would allow this sort of open access to my computer), it’s ostensibly disabled.
I disagree with John Gruber of Daring Fireball that the intended behavior of Back to My Mac is not security issue. But how can anyone not consider the behavior I’ve shown here to be a major lapse in security? I do not want anyone in my house who happens to open my MacBook (usually left laying around) to have full unrestricted access to my iMac (in a locked office).
Apple has a knowledge base article about Back to My Mac security. In the article Apple says:
To prevent a computer from being part of your Back to My Mac network at any time, you may click the “Stop” button on the Back to My Mac tab of the .Mac preferences in System Preferences. Additionally, you may click on “Sign Out” in the .Mac “Account” tab to log out of the .Mac service completely on that computer.
Apparently this isn’t the case since I’m not signed in, and, Back to My Mac is disabled, but my machine is still open. It’s completely unexpected that using my .Mac email will open me up to this. I wonder if using a .Mac sign-in for iChat behaves the same way.
The basic security I have in place on my iMac is a password. By using .Mac mail I’ve opened my iMac to anyone who has access to my MacBook. My Mac’s security is being compromised by .Mac.
Glenn Fleishman on 18 Nov 2007 at 5:57 am: 1
This is a Kerberos ticket issue — the ticket is assigned after authentication over the local network with a file sharing volume. But it only persists 10 hours, then then ticket expires. Were you able to mount the server without a password after 10 hours? This issue is distinct from Back to My Mac.
artMonster on 18 Nov 2007 at 8:05 am: 2
“I wonder if using a .Mac sign-in for iChat behaves the same way”
This is a concern of mine as well. There are other times that one might log into .Mac (logging in to certain Apple sites or services for example). It may be less of an issue than it appears, but that is the problem. Ignorance is not bliss regards security. Apple needs to continue addressing this and put out enough info at the novice level for people like me to really understand what is the best practice here.
JS on 18 Nov 2007 at 8:34 am: 3
This may help:
http://www.roughlydrafted.com/2007/11/05/ten-myths-of-leopard-5-%E2%80%9Cback-to-my-mac%E2%80%9D-security-panic/
Holland Rhodes on 18 Nov 2007 at 10:33 am: 4
Yah, it’s been happening a lot longer than 10 hours. My concern is not just that it doesn’t ask for a password, it’s that I didn’t (and no one should) expect doing something completely unrelated to file and screen sharing (adding an email account) would open their system in this way. Clicking “Disconnect” then browsing back to the iMac will cause it to log in again, there seems to be no way to make it ask for a password other than to delete my email account.
JS on 18 Nov 2007 at 1:14 pm: 5
Did you try deleting the password in Keychain
Webinfront on 1 Dec 2007 at 5:51 am: 6
It doesn’t have to do with .Mac. All Mac OX 10.5 machines can act as a KDC and any 10.5 mac can take advantage of that. Apple has this documented here:
http://docs.info.apple.com/article.html?artnum=306723
Hack This Mac : Update on that .Mac security thing on 10 Dec 2007 at 1:46 am: 7
[…] readers should remember my little post titled “My Mac’s security is being compromised by .Mac.” If you don’t remember it, go ahead and read it now. After reading the comments and […]