Bugtraq mailing list archives
Re: Apple Safari on MacOSX may reveal user's saved passwords
From: David Cantrell <d.cantrell () outcometechnologies com>
Date: Thu, 17 May 2007 12:47:24 +0100
graham.coles () the-logic-group com wrote:
If someone can remotely log in as you over ssh then they already have your password (or worse, certificate!), so why would they try to obtain it from a browser?It works for: the same user using ssh as is on the console;
They can obtain other stuff that I type in the browser, such as passwords etc that I might use for online banking and which I don't store in Keychain. Personally, I don't think that the Keychain bit is particularly important.
They already have total access to all your files, there would appear to be nothing more to gain from this.
Perhaps you do (in which case I recommend you stop), but I don't store all my information in files, and of that which I do, not all those files are merely protected by my standard login and password. Some, such as how I authenticate to my bank, are stored in a gpg-encrypted file in case I ever forget. Others, such as my gpg passphrase, live only in my head. Trust me, merely logging in as me won't help anyone get at those data.
the root user using ssh (or someone who can sudo) can inject Javascript into the console user's browser;Are you even considering what you are saying?
Yes. Are you?
Someone has *ROOT* access to your system REMOTELY over ssh and you're worried that they might be able to retrieve a password from your keychain.
Yes, it would be annoying if someone rooted my laptop. It would be a lot more annoying if they not only rooted my laptop but also cleaned out my bank account via my browser.
It *is* somewhat disturbing that root can so trivially interfere with the guts of someone else's processes. Normally, root has to do a lot of work to do that.
Which again restricts this vunerability (as previously mentioned) to an attacker who happens to be sitting in front of your machine(!)a different non-root user on the console can do it too
Did you read the bit where I speculated about setuid applications? -- David Cantrell
Current thread:
- Apple Safari on MacOSX may reveal user's saved passwords poplix (May 14)
- RE: Apple Safari on MacOSX may reveal user's saved passwords Lucas, Mark J. (May 14)
- Re: Apple Safari on MacOSX may reveal user's saved passwords stephen joseph butler (May 16)
- <Possible follow-ups>
- RE: Apple Safari on MacOSX may reveal user's saved passwords mailbox () martinelli com (May 14)
- RE: Apple Safari on MacOSX may reveal user's saved passwords samelinux (May 15)
- Re: RE: Apple Safari on MacOSX may reveal user's saved passwords poplix (May 15)
- Re: Apple Safari on MacOSX may reveal user's saved passwords David Cantrell (May 16)
- Re: Apple Safari on MacOSX may reveal user's saved passwords graham . coles (May 16)
- Re: Apple Safari on MacOSX may reveal user's saved passwords Ian Ward Comfort (May 16)
- Re: Apple Safari on MacOSX may reveal user's saved passwords David Cantrell (May 17)
- Re: Apple Safari on MacOSX may reveal user's saved passwords graham . coles (May 17)
- Re: Apple Safari on MacOSX may reveal user's saved passwords poplix (May 18)
- Re: Apple Safari on MacOSX may reveal user's saved passwords Kevin Finisterre (lists) (May 18)
- Re: Apple Safari on MacOSX may reveal user's saved passwords poplix (May 19)
- Re: Apple Safari on MacOSX may reveal user's saved passwords David Cantrell (May 16)
- RE: Apple Safari on MacOSX may reveal user's saved passwords Lucas, Mark J. (May 14)
- Re: Apple Safari on MacOSX may reveal user's saved passwords Mark Senior (May 17)