BugTraq
Apple Safari on MacOSX may reveal user's saved passwords May 14 2007 01:50PM
poplix papusia org (1 replies)
RE: Apple Safari on MacOSX may reveal user's saved passwords May 14 2007 08:58PM
Lucas, Mark J. (mjlucas caltech edu) (1 replies)
Re: Apple Safari on MacOSX may reveal user's saved passwords May 16 2007 03:53PM
stephen joseph butler (stephen butler gmail com)
On 5/14/07, Lucas, Mark J. <mjlucas (at) caltech (dot) edu [email concealed]> wrote:
> If I'm reading this correctly, there has to be a malicious user at the
> console of a logged in computer (or connected in some other
> authenticated way). If I have a malicious user at my console logged in
> as me, I've got more problems than web form passwords being revealed.
>
> Am I reading this incorrectly?

No, you're right. Part of the point is that Safari is reading these
passwords from Keychain. And the whole point of Keychain is preventing
unauthorized programs from getting at the datastore. If a rogue
program asked for these passwords directly, then Keychain would
present a dialog alerting the user. But as the applescript shows, the
program can get Safari to essentially act on its behalf.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus