BugTraq
Re: RE: Apple Safari on MacOSX may reveal user's saved passwords May 14 2007 10:35PM
poplix papuasia org (1 replies)
Re: Apple Safari on MacOSX may reveal user's saved passwords May 15 2007 10:15PM
David Cantrell (d cantrell outcometechnologies com) (1 replies)
Re: Apple Safari on MacOSX may reveal user's saved passwords May 16 2007 05:42PM
graham coles the-logic-group com (2 replies)
Re: Apple Safari on MacOSX may reveal user's saved passwords May 17 2007 11:47AM
David Cantrell (d cantrell outcometechnologies com) (2 replies)
graham.coles (at) the-logic-group (dot) com [email concealed] wrote:

>> It works for:
>> the same user using ssh as is on the console;
> If someone can remotely log in as you over ssh then they already have your
> password (or worse, certificate!), so why would they try to obtain it from
> a browser?

They can obtain other stuff that I type in the browser, such as
passwords etc that I might use for online banking and which I don't
store in Keychain. Personally, I don't think that the Keychain bit is
particularly important.

> They already have total access to all your files, there would appear to be
> nothing more to gain from this.

Perhaps you do (in which case I recommend you stop), but I don't store
all my information in files, and of that which I do, not all those files
are merely protected by my standard login and password. Some, such as
how I authenticate to my bank, are stored in a gpg-encrypted file in
case I ever forget. Others, such as my gpg passphrase, live only in my
head. Trust me, merely logging in as me won't help anyone get at those
data.

>> the root user using ssh (or someone who can sudo) can inject
>> Javascript into the console user's browser;
> Are you even considering what you are saying?

Yes. Are you?

> Someone has *ROOT* access to your system REMOTELY over ssh and you're
> worried that they might be able to retrieve a password from your keychain.

Yes, it would be annoying if someone rooted my laptop. It would be a
lot more annoying if they not only rooted my laptop but also cleaned out
my bank account via my browser.

It *is* somewhat disturbing that root can so trivially interfere with
the guts of someone else's processes. Normally, root has to do a lot of
work to do that.

>> a different non-root user on the console can do it too
> Which again restricts this vunerability (as previously mentioned) to an
> attacker who happens to be sitting in front of your machine(!)

Did you read the bit where I speculated about setuid applications?

--
David Cantrell

[ reply ]
Re: Apple Safari on MacOSX may reveal user's saved passwords May 17 2007 05:50PM
graham coles the-logic-group com (1 replies)
Re: Apple Safari on MacOSX may reveal user's saved passwords May 18 2007 01:23PM
poplix (poplix papuasia org) (1 replies)
Re: Apple Safari on MacOSX may reveal user's saved passwords May 18 2007 05:13PM
Kevin Finisterre (lists) (kf_lists digitalmunition com) (1 replies)
Re: Apple Safari on MacOSX may reveal user's saved passwords May 18 2007 11:43PM
poplix (poplix papuasia org)
Re: Apple Safari on MacOSX may reveal user's saved passwords May 17 2007 04:49PM
Mark Senior (senatorfrog gmail com)
Re: Apple Safari on MacOSX may reveal user's saved passwords May 16 2007 07:21PM
Ian Ward Comfort (icomfort rescomp stanford edu)


 

Privacy Statement
Copyright 2010, SecurityFocus