Security issue with Yosemite?

tilttilt
Posted:
in Genius Bar edited October 2014

I was on the phone with AppleCare for Spotlight not showing any results from Wikipedia or Bing; and while I was on the phone, I discovered a new problem which I think is a security issue. I am providing the details below:

 

I created a new test user account to see if Spotlight works properly there. It didn’t, and I was told by AppleCare that this was a known issue and is not working for anyone now; and that we have to wait for a dot release to fix this.

 

To come back to the security issue:

 

While in that new user account (a standard non-admin account), I ran spotlight and noticed that it was providing me with results (files, email messages, etc.) from my main Admin-user account. I was surprised at this since I presumed that one user account should never be able to see files belonging to another user account.

 

Just to see how far I could go, I tried to open some of the files Spotlight showed me. I opened a movie file (I could play it), I opened a spreadsheet (I could see everything in it and I could also make changes); I opened PDFs and was able to read them.

 

As a final test, I opened Finder - I was able to navigate to the privileged user’s folder and sub-folder structure and open all the files and read them and make changes.

 

I also transferred a file from the standard test user account to the privileged admin user account’s folder!

 

I did a Get Info on the privileged user’s folder and I could read-write to that folder.

 

And now comes the zinger:

 

I switched to the privileged user-account and opened Finder and navigated to the test user folder. I could see Red Minus signs all over the place and I could not navigate any further down.

 

So, it looks like it is working bass-ackwards! A non-privileged user can do anything with a privileged user’s stuff and the privileged user can do nothing with a non-privileged user’s stuff.

 

Luckily I discovered this issue while on the call with AppleCare - a senior support person actually; and he sent me the data-gathering software where I run the software and replicate the issue so that all logs are collected and sent to Apple.

 

Let’s see if this goes anywhere.

 

And in the meanwhile, can some of you see if you face the same problem please?

 

Now, regarding the original Spotlight problem I called Apple about - I cannot see any Wikipedia or Bing or Movie theatre info - I can only see local hard drive stuff. The tech told me that the web-search portion of Spotlight is not working properly yet and that I have to wait for Apple to release a patch, a dot release; and that this issue is so low on the totem with other major issues so that this issue may be addressed only after a long time.

 

Cheers

Sign In or Register to comment.