Feeds

MacOS' Sherlock surreptitiously sends email addresses

Second Apple security glitch spotted

  • alert
  • submit to reddit

Seven Steps to Software Security

A security glitch that exposes users' email addresses has been found lurking within Apple's Sherlock Internet search technology. The discovery comes a month after it was detected that Apple's iTools online service transmits users' passwords without scrambling them first. The latest discovery was made by MacWelt magazine and Web site MacSherlock. In fact, it's not a glitch as such, rather it's a lack of thought on the part of Sherlock's programmers. Sherlock has an auto-update facility which checks for new versions of modules that allow it to search specific sites. The Register itself has just such a plug-in that can be downloaded here. Our plug-in is provided through a Web server, but if the update is transferred by FTP, Sherlock will log in anonymously, but provide the user's email address as the login password. In the past, it was considered courteous to provide your email address this way when downloading files anonymously. Nowadays, in these more privacy-conscious times, it's much less commonplace. In fact, many applications that support FTP, such as Netscape Navigator, allow users the choice as to whether their email address is transmitted this way. Last month's security glitch centred on the iTools browser plug-in, which communicates with the server using XML. Software developer Brad Pettit discovered that the plug-in transmits the user's password as plain text. "One could theoretically control the plug-in from any link that loads content into your Web browser. And you wouldn't even know it," he said. Pettit also found the iTools software capable of "gathering and sending all sorts of machine-specific data to Apple, such as hardware ethernet addresses. ®

Boost IT visibility and business value

More from The Register

next story
Airbus promises Wi-Fi – yay – and 3D movies (meh) in new A330
If the person in front reclines their seat, this could get interesting
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
UK Parliament rubber-stamps EMERGENCY data grab 'n' keep bill
Just 49 MPs oppose Drip's rushed timetable
Want to beat Verizon's slow Netflix? Get a VPN
Exec finds stream speed climbs when smuggled out
Samsung threatens to cut ties with supplier over child labour allegations
Vows to uphold 'zero tolerance' policy on underage workers
Dude, you're getting a Dell – with BITCOIN: IT giant slurps cryptocash
1. Buy PC with Bitcoin. 2. Mine more coins. 3. Goto step 1
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.