OpenDoor Networks has released a security alert for Mac OS X 10.1 concerning use of iDisk. According to the company, a flaw in the implementation of WebDAV, which is the protocol that is now used in Mac OS X 10.1 to mount an iDisk and to make it usable on a PC as well, allows for the possibility of oneis password being accessed by the bad guys. From OpenDoor Networks:
iDisk under Mac OS X 10.1 is significantly less secure than under previous versions of Mac OS X.
In Mac OS X 10.1 your iDisk is usually accessed using the WebDAV protocol rather than the Apple Filing Protocol (AFP) used previously. Like AFP, WebDAV is supposed to not send your password over the Internet, so in that respect it should be as secure as AFP. However the implementation of WebDAV in Mac OS X 10.1, as used with iDisk, violates the WebDAV specification and sends your password in a way that makes it is easy for hackers to discover.
Using iDisk under Mac OS X 10.1 could easily result in disclosure of your password and full access to your iDisk by others.
Any hacker who can see the data being sent between your machine and the iDisk server can easily extract your password and other information needed to access your iDisk. The hacker would then have complete read/write access to your iDisk, including your personal Web site pages and any other files and information youive placed there.
If you select "iDisk" from the "Go" menu or click on the iDisk icon in the Finder, your iDisk will be vulnerable. Also if you use the "iDisk" selection in file open or save dialogs.
To connect to iDisk the old (secure) way under Mac OS X 10.1, you should use "Connect to Server" under the "Go" menu and enter the address "afp://idisk.mac.com". Doing so is highly recommended until Apple comes out with a fix for this problem (of which theyire well aware). You can then make an alias to your iDisk, or save it as a Favorite.
There is additional information on this subject at OpenDooris Web site.