Comments on: An Easy Way To Retrieve The Entire MobileMe User Email List

By: mactifosi

mactifosi — Thu, 23 Jul 2009 15:37:38 +0000

I don’t get spam either and have been using this for about two years now.

By: TomB

TomB — Thu, 02 Apr 2009 02:50:46 +0000

I’ve been getting spam recently on my .mac, and I noticed that all the addresses it was sent to were .m ac addresses.

By: perde

perde — Fri, 19 Dec 2008 15:27:50 +0000

good

By: Ruban

Ruban — Wed, 03 Dec 2008 09:53:56 +0000

How can I get email address only…???

By: Green Web Design Project Blog » Blog Archive » Apple’s MobileMe plays into hands of spammers

Sun, 21 Sep 2008 13:45:29 +0000

[...] As a result spammers only need to map the iDisk domain using web crawler tools to extract the entire MobileMe user name list. Taking this username list and simply adding either @me.com or @mac.com will give an email list, Techcrunch reports. [...]

By: MobileMe: Exchange РґР»СЏ РІСЃРµС… РЅР°СЃ » iPhone РІ Р•РєР°С‚РµСЂРёРЅР±СѓСЂРіРµ

Thu, 11 Sep 2008 16:23:57 +0000

[...] Techcrunch РЅРµРґР°РІРЅРѕ РїРѕСЏРІРёР»Р°СЃСЊ Р·Р°РјРµС‚РєР°, РІ РєРѕС‚РѕСЂРѕР№ РњР°Р№РєР» РђСЂСЂРёРЅРіС‚РѕРЅ [...]

By: MobileMe Design Flaws - Security Enabled Network

MobileMe Design Flaws - Security Enabled Network — Wed, 03 Sep 2008 16:23:24 +0000

[...] Apple’s MobileMe service has quite a few problems going for itself. A couple weeks ago, the TechCrunch Blog reported a design flaw with the service that allows attackers to crawl the site’s public [...]

By: iScope #12 « Obelis

iScope #12 « Obelis — Thu, 28 Aug 2008 09:51:29 +0000

[...] tvrtina, kad siekiant ištaisyti vienus bug’us, klaidų pridaroma kitur. Šiuo atveju, atveriamas kelias spam’eriam gauti MobileMe vartotojų elektroninio pašto adresus ir jais paskleisti reklamą. Oficialių nusiskundimų dar nesulaukta, bet čia tik laiko [...]

By: Haywired 3.0 - MobileMe: Exchange для всех нас

Haywired 3.0 - MobileMe: Exchange для всех нас — Thu, 28 Aug 2008 08:40:05 +0000

[...] Techcrunch недавно появилась заметка, в которой Майкл Аррингтон рассказывает о легком [...]

By: themacguy

themacguy — Wed, 27 Aug 2008 03:42:51 +0000

@Hugo84
Ask yourself – 10 years in service and No one has figured out how to exploit this. I agree with having common sense. That is what keeps my personal email from getting any spam. It’s also called eternal vigilance. But you’re equating the internet to a world of happenstance – which it’s not. Services don’t STAY secure by pure dumb luck. They stay secure by eternal vigilance. Put 9 zeros behind that and tell me Apple screwed up. Arrington isn’t seeing the whole picture. I’m not scared. I am vigilant.

By: Mehr MobileMe Probleme - Sicherheitslücken durch fehlende Schutz-Maßnahmen | MACazin

Tue, 26 Aug 2008 09:09:03 +0000

[...] sind die umfangreiche Sicherung, Verschlüsselung und der Schutz der Daten. Laut der Webseite TechCrunch soll es für Bösewichte sehr simpel sein, an die Daten heran zu kommen. Sobald man die [...]

By: Chip

Chip — Tue, 26 Aug 2008 03:31:18 +0000

Haha it works. Thanks for sharing.

By: Más problemas con el servicio MobileMe |

Más problemas con el servicio MobileMe | — Mon, 25 Aug 2008 21:29:08 +0000

[...] spider en la web se puede apoderar de la lista entera de usuarios de MobileMe, según nos dice TechCrunch. El método es extremadamente sencillo, ya que el servicio pone la carpeta pública del iDisk [...]

By: Aaron Guhl

Aaron Guhl — Mon, 25 Aug 2008 19:34:36 +0000

I can’t believe people actually defend this sort of blatant privacy violation/security design flaw. So many website out there today are guilty of this same flaw. That doesn’t make it right. Security with email is so far behind the rest of the security industry, it isn’t even funny.

It isn’t whether or not you receive spam in your MobileMe account or whether or not you think spammers will take advantage of this. The fact of the matter is that Apple is publicly displaying usernames/email addresses of all their users on indexable webpages.

Imagine if a highly confidential financial company publicly displayed email addresses of their users on indexable webpages. That would be such a huge security violation (not to mention out of compliance). So why is it forbidden for highly confidential financial company to display private email addresses, but not for an email provider?

Why are people so lazy with email security? For me, I guard my email accounts just as much as I guard my financial accounts. I expect the same security attention given on both. So why do people excuse Apple (or any other company) for giving public validation for email accounts.

Sure a spammer can send out emails to a bunch of random usernames on a domain, but then they are shooting in the dark without any validation of success. A spammer doesn’t need the ENTIRE user account list from Apple to make use of this flaw. They could easily generate a list of about 10,000. That is 10,000 more ACCURATE accounts than they had before that they can TARGET a phishing campaign with. If they randomly generated a list of 10,000 addresses, they’d be lucky if they got 1% of those as correct and active accounts.

It is just one more thing that makes life easier for spammers. Why make it easier for them?

By: Is MobileMe Aiding Spammers? | World of Apple

Is MobileMe Aiding Spammers? | World of Apple — Mon, 25 Aug 2008 18:11:54 +0000

[...] Also via TechCrunch [...]

By: Dean

Dean — Mon, 25 Aug 2008 16:40:57 +0000

well, the more i read such articles about mobileme, the gladder i am that i opted for hyperoffice instead

By: annoyed

annoyed — Mon, 25 Aug 2008 13:53:31 +0000

Bigger problem for me is my email account gets put on other people’s blacklists. _That_ is a serious issue for people even if they don’t see the spam in their mailbox.

By: Just Assume the Spammers Are Going to Get Your Email Address - BuzzYA!

Just Assume the Spammers Are Going to Get Your Email Address - BuzzYA! — Mon, 25 Aug 2008 11:56:09 +0000

[...] been quite a flame-war going on over at TechCrunch, where Mike Arrington has claimed that the way Apple deals with invalid URLs for users’ public iDisk pages makes it “a dead simple [...]

By: S0m30ne

S0m30ne — Sun, 24 Aug 2008 17:13:37 +0000

Yes, but with Google, after ~10 times you’ll get a CAPTCHA…
This is not the case with Apple.

By: links for 2008-08-24 | How'd You Get To Be So Stupid

links for 2008-08-24 | How'd You Get To Be So Stupid — Sun, 24 Aug 2008 11:11:48 +0000

[...] An Easy Way To Retrieve The Entire MobileMe User Email List (tags: howdyougettobesostupid) [...]

By: anon

anon — Sat, 23 Aug 2008 23:09:45 +0000

No offense, but if you’d kindly post your corrections as replies to your first comment, it would be much easier for the casual reader to skip the umpteenth (oh no, let me correct, bazillionth, no wait, …) instance.
kthxnp

P.S. for n (e.g. 26, 36) possibilities per character, the words that are shorter than the maximum length make up a little less than 1/n of the total, which does not warrant a new posting for n > pi.
P.P.S. I daresay I verifitested that latter mathematicious claim with a spreadsheet of my own.

By: Apple’s MobileMe Susceptible To Spam Harvesting

Apple’s MobileMe Susceptible To Spam Harvesting — Sat, 23 Aug 2008 07:04:39 +0000

[...] (NasdaqGS: APPL) MobileMe service has been reported to be susceptible to an email harvesting exploit technique due to public folder enumeration. [...]

By: MobileMe a major spam risk - LiveAM - Your morning news 24/7

MobileMe a major spam risk - LiveAM - Your morning news 24/7 — Sat, 23 Aug 2008 02:43:04 +0000

By: Dragenx Blog » Apple’s MobileMe plays into hands of spammers

Dragenx Blog » Apple’s MobileMe plays into hands of spammers — Sat, 23 Aug 2008 01:59:51 +0000

By: KimH

KimH — Fri, 22 Aug 2008 22:54:27 +0000

Guess what — you don’t need a dictionary attack to suffer from this — there’s a more important downside to the MobileMe system.

If you publish photos to a MobileMe gallery or serve files from your MobileMe public folder, then you expose your email to everyone who sees them. So — no need for a dictionary attack — anytime you use those services you have to trust EVERYONE involved not to abuse your username. So they’re useless for anyone except close friends & colleagues. Apple needs to fix this ASAP.