Here’s the gist: When you turn on Back to My Mac synching, all you need to control your Mac remotely is your .Mac password — you don’t need to authenticate with the password for your Mac itself.
I don’t think it’s right to characterize this as a security “hole”, though — clearly it’s how the feature is designed to work. If you don’t trust your .Mac account, don’t use it. It’d be nice if there were an option to require your Mac’s password, though — and I question the decision to turn this setting on by default.
★ Saturday, 27 October 2007