BugTraq
Re: RE: Apple Safari on MacOSX may reveal user's saved passwords May 14 2007 10:35PM
poplix papuasia org (1 replies)
Re: Apple Safari on MacOSX may reveal user's saved passwords May 15 2007 10:15PM
David Cantrell (d cantrell outcometechnologies com) (1 replies)
Re: Apple Safari on MacOSX may reveal user's saved passwords May 16 2007 05:42PM
graham coles the-logic-group com (2 replies)
Re: Apple Safari on MacOSX may reveal user's saved passwords May 17 2007 11:47AM
David Cantrell (d cantrell outcometechnologies com) (2 replies)
Re: Apple Safari on MacOSX may reveal user's saved passwords May 17 2007 05:50PM
graham coles the-logic-group com (1 replies)
Re: Apple Safari on MacOSX may reveal user's saved passwords May 18 2007 01:23PM
poplix (poplix papuasia org) (1 replies)
Re: Apple Safari on MacOSX may reveal user's saved passwords May 18 2007 05:13PM
Kevin Finisterre (lists) (kf_lists digitalmunition com) (1 replies)
Re: Apple Safari on MacOSX may reveal user's saved passwords May 18 2007 11:43PM
poplix (poplix papuasia org)
Re: Apple Safari on MacOSX may reveal user's saved passwords May 17 2007 04:49PM
Mark Senior (senatorfrog gmail com)
On 5/17/07, David Cantrell wrote:
> graham.coles wrote:
>
> > They already have total access to all your files, there would appear to be
> > nothing more to gain from this.
>
> Perhaps you do (in which case I recommend you stop), but I don't store
> all my information in files, and of that which I do, not all those files
> are merely protected by my standard login and password. Some, such as
> how I authenticate to my bank, are stored in a gpg-encrypted file in
> case I ever forget. Others, such as my gpg passphrase, live only in my
> head. Trust me, merely logging in as me won't help anyone get at those
> data.
>

> > Someone has *ROOT* access to your system REMOTELY over ssh and you're
> > worried that they might be able to retrieve a password from your keychain.
>
> Yes, it would be annoying if someone rooted my laptop. It would be a
> lot more annoying if they not only rooted my laptop but also cleaned out
> my bank account via my browser.

If someone roots your laptop, they won't have to muck around with
carefully timed javascript injection via applescript. They'll grab
your keychain files, and install a keylogger to grab the password they
need to decrypt it, as well as any passwords that aren't in the
keychain.

If they're impatient, they can lock your keychain, so you're forced to
enter your password the very next time you want anything out of it.
Of course, then they'd risk discovery. Easier to sit tight and let
you type it at a normal time.

As many people have pointed out before, you can install a keylogger
for a single user via an input manager, without getting root. You
need only execution under that one user's credentials. Of course, on
a (nearly) single-user machine, that comes out to largely the same
thing.

> It *is* somewhat disturbing that root can so trivially interfere with
> the guts of someone else's processes. Normally, root has to do a lot of
> work to do that.

"su someone-else" really isn't a lot of work.

Regards
Mark

[ reply ]
Re: Apple Safari on MacOSX may reveal user's saved passwords May 16 2007 07:21PM
Ian Ward Comfort (icomfort rescomp stanford edu)


 

Privacy Statement
Copyright 2010, SecurityFocus