BugTraq
Re: RE: Apple Safari on MacOSX may reveal user's saved passwords May 14 2007 10:35PM
poplix papuasia org (1 replies)
Re: Apple Safari on MacOSX may reveal user's saved passwords May 15 2007 10:15PM
David Cantrell (d cantrell outcometechnologies com) (1 replies)
Re: Apple Safari on MacOSX may reveal user's saved passwords May 16 2007 05:42PM
graham coles the-logic-group com (2 replies)
Re: Apple Safari on MacOSX may reveal user's saved passwords May 17 2007 11:47AM
David Cantrell (d cantrell outcometechnologies com) (2 replies)
Re: Apple Safari on MacOSX may reveal user's saved passwords May 17 2007 05:50PM
graham coles the-logic-group com (1 replies)
Re: Apple Safari on MacOSX may reveal user's saved passwords May 18 2007 01:23PM
poplix (poplix papuasia org) (1 replies)
Re: Apple Safari on MacOSX may reveal user's saved passwords May 18 2007 05:13PM
Kevin Finisterre (lists) (kf_lists digitalmunition com) (1 replies)
Re: Apple Safari on MacOSX may reveal user's saved passwords May 18 2007 11:43PM
poplix (poplix papuasia org)
Re: Apple Safari on MacOSX may reveal user's saved passwords May 17 2007 04:49PM
Mark Senior (senatorfrog gmail com)
Re: Apple Safari on MacOSX may reveal user's saved passwords May 16 2007 07:21PM
Ian Ward Comfort (icomfort rescomp stanford edu)
On May 16, 2007, at 10:42 AM, graham.coles (at) the-logic-group (dot) com [email concealed] wrote:
> I too appear to be having difficulty relating this to a vulnerability.

Fair enough...

>> It works for:
>> the same user using ssh as is on the console;
>
> If someone can remotely log in as you over ssh then they already
> have your
> password (or worse, certificate!), so why would they try to obtain
> it from
> a browser?
>
> They already have total access to all your files, there would
> appear to be
> nothing more to gain from this.

... but note that reading web passwords from Safari does give someone
*more* than "total access to all your files", since the keychain in
which those passwords are stored is encrypted on disk.

>> the root user using ssh (or someone who can sudo) can inject
>> Javascript into the console user's browser;
>
> Are you even considering what you are saying?
>
> Someone has *ROOT* access to your system REMOTELY over ssh and you're
> worried that they might be able to retrieve a password from your
> keychain.
> By this stage, your entire system and every file in it is pretty much
> owned.

Again, owning the file is not quite as good as owning the web
passwords, since the file is encrypted, usually with the user's login
password (if we're talking about the login keychain) but not always.
The harm here, as I see it, is that if you have Safari open and have
unlocked a keychain for it, with some valuable passwords (say for
financial institutions), someone who can execute arbitrary code as
your user can read passwords from that keychain that they couldn't
read from the keychain as stored on disk.

I'm not sure if making Safari dump core would also reveal these
passwords; if so that would make this issue more or less moot. And
of course as root one can presumably read the passwords out of system
memory. But this behavior seems to make it too easy, no?

---IWC

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus