Bugtraq mailing list archives
Re: Apple Safari on MacOSX may reveal user's saved passwords
From: "stephen joseph butler" <stephen.butler () gmail com>
Date: Wed, 16 May 2007 10:53:18 -0500
On 5/14/07, Lucas, Mark J. <mjlucas () caltech edu> wrote:
If I'm reading this correctly, there has to be a malicious user at the console of a logged in computer (or connected in some other authenticated way). If I have a malicious user at my console logged in as me, I've got more problems than web form passwords being revealed. Am I reading this incorrectly?
No, you're right. Part of the point is that Safari is reading these passwords from Keychain. And the whole point of Keychain is preventing unauthorized programs from getting at the datastore. If a rogue program asked for these passwords directly, then Keychain would present a dialog alerting the user. But as the applescript shows, the program can get Safari to essentially act on its behalf.
Current thread:
- Apple Safari on MacOSX may reveal user's saved passwords poplix (May 14)
- RE: Apple Safari on MacOSX may reveal user's saved passwords Lucas, Mark J. (May 14)
- Re: Apple Safari on MacOSX may reveal user's saved passwords stephen joseph butler (May 16)
- <Possible follow-ups>
- RE: Apple Safari on MacOSX may reveal user's saved passwords mailbox () martinelli com (May 14)
- RE: Apple Safari on MacOSX may reveal user's saved passwords samelinux (May 15)
- Re: RE: Apple Safari on MacOSX may reveal user's saved passwords poplix (May 15)
- Re: Apple Safari on MacOSX may reveal user's saved passwords David Cantrell (May 16)
- Re: Apple Safari on MacOSX may reveal user's saved passwords graham . coles (May 16)
- Re: Apple Safari on MacOSX may reveal user's saved passwords Ian Ward Comfort (May 16)
- Re: Apple Safari on MacOSX may reveal user's saved passwords David Cantrell (May 17)
- Re: Apple Safari on MacOSX may reveal user's saved passwords graham . coles (May 17)
- Re: Apple Safari on MacOSX may reveal user's saved passwords poplix (May 18)
- Re: Apple Safari on MacOSX may reveal user's saved passwords Kevin Finisterre (lists) (May 18)
- Re: Apple Safari on MacOSX may reveal user's saved passwords David Cantrell (May 16)
- RE: Apple Safari on MacOSX may reveal user's saved passwords Lucas, Mark J. (May 14)