We’re usually not alarmists here, but right now we need to be. Unless we’re proven wrong (and we’ll certainly admit it if we are), do not use Leopard’s new “Back to My Mac” feature. It contains a serious security hole, which allows anyone who can access your .Mac account to easily take full remote control of your Mac, without having to enter your Mac’s password.

Back to My Mac is a new feature that claims to allow you to “access and control your remote Mac running Mac OS X Leopard from any other Leopard-based Mac.” Unfortunately this feature didn’t work at all in most Leopard pre-releases, so no one’s really been able to evaluate it until the official Leopard release. As part of readying our security products for Leopard, we spent a lot of time on release day doing just that, and the results were surprising and worrisome.

We first used the .Mac System Preferences panel to enable Back to My Mac on two Leopard machines on two different Internet-connected networks, with both Macs signed into the same .Mac account. We then enabled File Sharing and Leopard’s new Screen Sharing on one of the Macs through Sharing System Preferences. That “server” Mac then appeared in Finder’s sidebar on the other (“client”) Mac, in the new SHARED section. So far, so good. That’s one of the things Back to My Mac is supposed to do -- make it easy for you to find your other Mac(s) regardless of where you and they are on the Internet.

The problem came in when we selected the server Mac in the client’s sidebar. Instead of either connecting to that Mac’s File Sharing as a guest, or asking us for that Mac’s password, Back to My Mac automatically connected to the server Mac’s File Sharing as that Mac’s owner without ever asking for the owner’s name and password. Worse yet, the same thing happened when then clicking on “Share Screen...” giving us full remote control of the Mac without ever entering its password.

In disbelief for a bit, we confirmed the problem from different machines on different networks. We then took a step back and thought about things: how could Apple have shipped Back to My Mac with such a seemingly serious security hole? We’ll see what they say in response to the bug report we filed, but here’s the only explanation we’ve been able to come up with:

1. Is it possible they believe that simply signing into your .Mac account should be enough to allow you (or anyone else) to have easy-access, full control over any other of your Macs that are also signed in??
   

If this is their explanation, it’s a pretty weak one, for any number of reasons. A small subset of these reasons include:

1. • Your machine’s password exists to prove that you’re you and provide you full access to your machine, either locally or remotely. It’s used for local login, remote login (ssh, enabled through Sharing), file sharing, screen sharing (also enabled through Sharing, previously as “Apple Remote Desktop”) and other similar services. It has, to date, been the designated way of obtaining such full access.
   

2. • Why add a second, backdoor way to access such critical services? The more ways, the greater the risk.
   

3. • Some of us may not want to entrust a third party with a password that allows full control of our machines.
   

4. • Most of us will use a “weaker” password for our .Mac account than for our Mac itself. It’s certainly what we’ve done to date anyway, since .Mac services were nowhere near as critical.
   

5. • Once enabled, signing into Back to My Mac is done automatically each time the Mac starts up or awakes from sleep, and could easily be forgotten about. Access to critical services like file and screen sharing should always be explicitly authorized.
   

Additionally, it seems to be very hard to use a firewall to block or limit access to Back to My Mac, which does not use the standard ports for file or screen sharing (probably because, to provide easy access, it needs to get around the firewall features of most home routers). Right now it looks like blocking or limiting access to UDP port 4500 works (we’re still testing around that however). Better yet, just don’t go Back to My Mac until further notice.

More on this story as it develops...