We accidently came across a major security problem when we were configuring iMessages on OS X Mountain Lion. We certainly don’t want to encourage illicit activities but full disclosure is usually the best way to handle public security issues.

This is a serious bug where you quickly and without any hacker skills can take full controll over someone else’s Apple ID when you’re connected to the same WiFi network. This mean you can gain full access to that person’s iTunes and App Store accounts, by adding your own email address as a verified address and then changing their password and security settings.

Edit
Since we endorse both Apple and its users we’ve decided to remove the step-by-step instructions to avoid the risk of misuse. As we pointed out above, we certainly don’t want to encourage illicit activities.

The technique used is called a “Session Fixation Attack”, meaning that the user’s session which should be associated with and confined to the user’s computer and browser can be reused and exploited by a 3rd party.

You stay safe from this by not sharing or receiving links to Apple ID. If someone asks you to log in to Apple ID, make sure you don’t open a link to https://appleid.apple.com/ and only access it by going directly to https://appleid.apple.com/.