advertisement

Article:
  A Look Inside Address Book
Subject:   Address Book and Security
Date:   2002-08-27 22:32:59
From:   jonblock
While I think the central address book system is a great idea, I'm more than a bit concerned about the potential security implications.


You've just shown how easy it is to write an application that can read the entire address book and a) send it to an unauthorized third party, b) use it to spam/infect every contact in the list, and/or c) trash it, either subtly or obviously.


All it would take is for some malicious author (or some well-known companies who follow the software-as-market-research-tool philosophy) to distribute a program with a cute front-end hiding unfriendly address book manipulations, and bingo, instant virus (or worm, or whatever).


Of course, this would become a major worm candidate if Mail.app, or one of the other mass-market OS X mail clients, could be tricked into auto-launching an application attached to an e-mail.


I guess what I'd like to hear is that each application attempting to access the address book must be pre-authorized by an Administrator account, or else authorized on the fly by the current user (perhaps using the Keychain model). Unfortunately, it doesn't appear that this is the case.


Does this concern anyone else? Or have I overlooked an important security measure that everyone else has already noticed?


1 to 1 of 1
  1. Address Book and Security
    2002-08-29 05:14:32  senjaz [View]

    • Address Book and Security
      2002-08-29 10:05:31  jonblock [View]

      • Address Book and Security
        2002-09-03 11:27:48  agave [View]

1 to 1 of 1