Righto. This isn’t going to do my campaign for Apple to give me an iBook gratis any good at all. Still – never mind. It has to be done. So I’m wandering cheerfully through my referrer logs and I find a weird referral from a site with Apple in the URL. I follow the link to find a little article posted about my recent Apple rant. Then I realise that not only am on an Apple site, I’m actually already logged in as a young gentleman called Jared Foster who is taking part in the Campus Rep Program at Florida University.
But how can this be? Surely Apple wouldn’t be storing crucial login information and passwords in the URL? Except they have. And it’s not like it’s a little site containing no important information. In fact by the time I realised what was going on, I’d already seen a lot of information that should be very carefully protected. Now – if I wanted to – I could have access to all of Jared’s personal information, his timecards, the contact details of loads of people at Apple and – moreover – trade secrets on the Campus Rep Program and also the confidentiality agreement that everyone who participates in the program has to sign.
Now I’m a tremendous fan of Apple’s computers and software and wish nothing but success to them. I’ve been promoting Apple’s stuff here on this site for years simply because I love it. But this is a fairly horrifically substantial security breach for a company like Apple to countenance. And I think that it should be brought to the attention of the public.
- Some personal information (small selection from much available)
- Timecards information (it’s possible to click through further, but I thought that would be invasive)
- Ironic confidentiality notice at the bottom of each page
Follow-up: I’ve been talking to some people with greater knowledge of security than me, and potentially this is a problem that has been caused by a security flaw in the browser that the person used who was followed the referral link to my site rather than an Apple security issue. Clearly this would leave Apple relatively free from blame in this matter. I personally would also be relieved. More information as I have it – certainly I have no interest in lambasting Apple for a problem if it is not their responsibility…