Apple has reportedly made the service, which provides data syncing between a user's home computer and an iPhone 3G, easy for hackers to harvest subscribers' e-mail addresses. According to security researchers, this could lead to a lot more spam and phishing scams.
To exploit MobileMe, hackers can use a Web crawler to sniff users' public file sharing folder called iDisk to harvest the entire MobileMe user name list, the blog TechCrunch reported Thursday. Once the list is in hand, spammers only have to add @me.com or @mac.com to convert a user name to an e-mail address.
Apple was not immediately available for comment on Friday.
Alex Eckelberry, chief executive of security vendor Sunbelt Software, said the vulnerability may be Apple's oversight in designing MobleMe.
"It's a little silly for Apple to set it up this way," he said.
The potential exploit, however, amounts to more of an annoyance for subscribers than a serious threat, since spammers can't gain access to personal information, such as credit card numbers. "The reality is if you're on the Internet, you're open to spamming anyway, and this is just one more way for spammers to get your e-mail address," Eckelberry said.
A far more serious threat is a report earlier this week that Apple encrypts MobileMe login information, but not data that it moves for users over the Web, Eckelberry said. Not using Secure Sockets Layer, cryptographic protocols for secure communications on the Internet places subscribers' personal data at risk.
"The encryption issue to me is far more serious, and Apple should give it a higher priority to fix," Eckelberry said.
The reported vulnerabilities are the latest of several problems that has plagued the service, which replaced Apple's .Mac service.
Apple chief executive Steve Jobs introduced MobileMe at the Worldwide Developers Conference in San Francisco, alongside the iPhone 3G. MobileMe provides a bundle of storage, calendar, e-mail and photo services, and costs $99 a year.
But from the beginning, MobileMe has had problems with users visiting the service's Web portal Me.com, syncing data and accessing e-mail. The problems have angered subscribers to a point where Apple offered to make amends by giving away 60 days of the service.
In a leaked internal e-mail, Jobs acknowledged that the service was "not up to Apple's standards," and reorganized the management team behind MobileMe.
In a related note, InformationWeek has published its 2008 Strategic Security Survey. The report can be downloaded here. (registration required).