Re: Apple Safari on MacOSX may reveal user's saved passwords



On 5/14/07, Lucas, Mark J. <mjlucas@xxxxxxxxxxx> wrote:
If I'm reading this correctly, there has to be a malicious user at the
console of a logged in computer (or connected in some other
authenticated way). If I have a malicious user at my console logged in
as me, I've got more problems than web form passwords being revealed.

Am I reading this incorrectly?

No, you're right. Part of the point is that Safari is reading these
passwords from Keychain. And the whole point of Keychain is preventing
unauthorized programs from getting at the datastore. If a rogue
program asked for these passwords directly, then Keychain would
present a dialog alerting the user. But as the applescript shows, the
program can get Safari to essentially act on its behalf.



Relevant Pages

  • Re: [Full-disclosure] What is the ulitmate vulnerability ?
    ... Why require passwords? ... It's trivial for a malicious user to bypass it, ... If an admin doesn't want anyone on their network, ... > Charter: http://lists.grok.org.uk/full-disclosure-charter.html ...
    (Full-Disclosure)
  • Re: What If
    ... :> And you do that how, again, since you can't get in because root reset ... :> the passwords? ... that only allow such actions from the system console. ... :system disc and manually edit the password file. ...
    (sci.military.naval)
  • RE: Apple Safari on MacOSX may reveal users saved passwords
    ... there has to be a malicious user at the ... console of a logged in computer (or connected in some other ... Am I reading this incorrectly? ... It seems that safari fails to validate the source of injected code, ...
    (Bugtraq)
  • Re: Passwords and Cookies
    ... Passwords are not sent over the wire in a Windows network. ... >> accounts. ... any malicious user with a NIC in promiscuous mode and a sniffer ...
    (microsoft.public.win2000.security)
  • Re: Has my sons computer been hacked?
    ... >>>I'm more concerned about having to change all my passwords and order new ... >>>credit cards because of the actions of a malicious user. ...
    (uk.media.tv.misc)