Bugtraq mailing list archives
Apple Safari on MacOSX may reveal user's saved passwords
From: poplix () papusia org
Date: 14 May 2007 13:50:53 -0000
hello,
Apple Safari on Macosx may reveal user's saved passwords. A local user with legitimate access to the system is able to
steal keychained password by injecting javascripts into a loaded webpage via applescript.
It seems that safari fails to validate the source of injected code, however apple belives this is the correct behaviour
so no fixes will be made available.
this proof of concept scpt file will display the password loaded by safari into an html object named "password":
tell application "Safari"
do JavaScript "alert(document.loginform.password.value)" in document 1
end tell
comments are welcome
cheers,
-poplix
http://px.dynalias.org
Current thread:
- Apple Safari on MacOSX may reveal user's saved passwords poplix (May 14)
- RE: Apple Safari on MacOSX may reveal user's saved passwords Lucas, Mark J. (May 14)
- Re: Apple Safari on MacOSX may reveal user's saved passwords stephen joseph butler (May 16)
- <Possible follow-ups>
- RE: Apple Safari on MacOSX may reveal user's saved passwords mailbox () martinelli com (May 14)
- RE: Apple Safari on MacOSX may reveal user's saved passwords samelinux (May 15)
- Re: RE: Apple Safari on MacOSX may reveal user's saved passwords poplix (May 15)
- Re: Apple Safari on MacOSX may reveal user's saved passwords David Cantrell (May 16)
- Re: Apple Safari on MacOSX may reveal user's saved passwords graham . coles (May 16)
- Re: Apple Safari on MacOSX may reveal user's saved passwords Ian Ward Comfort (May 16)
- Re: Apple Safari on MacOSX may reveal user's saved passwords David Cantrell (May 17)
- Re: Apple Safari on MacOSX may reveal user's saved passwords graham . coles (May 17)
- Re: Apple Safari on MacOSX may reveal user's saved passwords David Cantrell (May 16)
- RE: Apple Safari on MacOSX may reveal user's saved passwords Lucas, Mark J. (May 14)