iDisk under Mac OS X 10.1 is significantly less secure…By Open Door Networks

Fix: Use the Software Update feature in Mac OS X to resolve the issues with WebDAV security issues.

Security Advisory: Apple’s Mac OS X iDisk WebDAV vulnerability

Open Door Networks recently discovered that Apple’s iDisk under Mac OS X 10.1 wasn’t properly written to WebDAV standards. They said in Mac OS X 10.1 your iDisk is usually accessed using the WebDAV protocol rather than the Apple Filing Protocol (AFP) used previously. Like AFP, WebDAV is supposed to not send your password over the Internet, so in that respect it should be as secure as AFP. However the implementation of WebDAV in Mac OS X 10.1, as used with iDisk, violates the WebDAV specification and sends your password in a way that makes it is easy for hackers to discover.

iDisk under Mac OS X 10.1 is significantly less secure than under previous versions of Mac OS X.

Apple not following the standard WebDAV protocol made it possible for any hacker who has access to sniff the network to see your password in plaintext. After the password has been sniffed the hacker has full access to read and write the files on your iDisk and the personal homepage and MAC.COM e-mail account.

If you select “iDisk” from the “Go” menu or click on the iDisk icon in the Finder, your iDisk will be vulnerable.

Open Door Network suggests to connect to iDisk the old (secure) way under Mac OS X 10.1, you should use “Connect to Server” under the “Go” menu and enter the address “afp://idisk.mac.com”. Doing so is highly recommended until Apple comes out with a fix for this problem.

The book “Internet Security for Your Macintosh: A Guide for the Rest of Us” (written by two Open Door employees) provides additional technical details on how a hacker could look at your data and extract your password. See the chapter “Just Say No to FTP”. The book also includes a full chapter specifically on Mac OS X Internet security. Well worth the read. Although I do not think it includes a link to SecureMac.com (;