Bugtraq mailing list archives
Re: Apple Safari on MacOSX may reveal user's saved passwords
From: Ian Ward Comfort <icomfort () rescomp stanford edu>
Date: Wed, 16 May 2007 12:21:12 -0700
On May 16, 2007, at 10:42 AM, graham.coles () the-logic-group com wrote:
I too appear to be having difficulty relating this to a vulnerability.
Fair enough...
It works for: the same user using ssh as is on the console;If someone can remotely log in as you over ssh then they already have your password (or worse, certificate!), so why would they try to obtain it froma browser?They already have total access to all your files, there would appear to benothing more to gain from this.
... but note that reading web passwords from Safari does give someone *more* than "total access to all your files", since the keychain in which those passwords are stored is encrypted on disk.
the root user using ssh (or someone who can sudo) can inject Javascript into the console user's browser;Are you even considering what you are saying? Someone has *ROOT* access to your system REMOTELY over ssh and you'reworried that they might be able to retrieve a password from your keychain.By this stage, your entire system and every file in it is pretty much owned.
Again, owning the file is not quite as good as owning the web passwords, since the file is encrypted, usually with the user's login password (if we're talking about the login keychain) but not always. The harm here, as I see it, is that if you have Safari open and have unlocked a keychain for it, with some valuable passwords (say for financial institutions), someone who can execute arbitrary code as your user can read passwords from that keychain that they couldn't read from the keychain as stored on disk.
I'm not sure if making Safari dump core would also reveal these passwords; if so that would make this issue more or less moot. And of course as root one can presumably read the passwords out of system memory. But this behavior seems to make it too easy, no?
---IWC
Current thread:
- Apple Safari on MacOSX may reveal user's saved passwords poplix (May 14)
- RE: Apple Safari on MacOSX may reveal user's saved passwords Lucas, Mark J. (May 14)
- Re: Apple Safari on MacOSX may reveal user's saved passwords stephen joseph butler (May 16)
- <Possible follow-ups>
- RE: Apple Safari on MacOSX may reveal user's saved passwords mailbox () martinelli com (May 14)
- RE: Apple Safari on MacOSX may reveal user's saved passwords samelinux (May 15)
- Re: RE: Apple Safari on MacOSX may reveal user's saved passwords poplix (May 15)
- Re: Apple Safari on MacOSX may reveal user's saved passwords David Cantrell (May 16)
- Re: Apple Safari on MacOSX may reveal user's saved passwords graham . coles (May 16)
- Re: Apple Safari on MacOSX may reveal user's saved passwords Ian Ward Comfort (May 16)
- Re: Apple Safari on MacOSX may reveal user's saved passwords David Cantrell (May 17)
- Re: Apple Safari on MacOSX may reveal user's saved passwords graham . coles (May 17)
- Re: Apple Safari on MacOSX may reveal user's saved passwords poplix (May 18)
- Re: Apple Safari on MacOSX may reveal user's saved passwords Kevin Finisterre (lists) (May 18)
- Re: Apple Safari on MacOSX may reveal user's saved passwords poplix (May 19)
- Re: Apple Safari on MacOSX may reveal user's saved passwords David Cantrell (May 16)
- RE: Apple Safari on MacOSX may reveal user's saved passwords Lucas, Mark J. (May 14)
- Re: Apple Safari on MacOSX may reveal user's saved passwords Mark Senior (May 17)