lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 14 May 2007 13:58:23 -0700
From: "Lucas, Mark J." <mjlucas@...tech.edu>
To: <bugtraq@...urityfocus.com>
Subject: RE: Apple Safari on MacOSX may reveal user's saved passwords

If I'm reading this correctly, there has to be a malicious user at the
console of a logged in computer (or connected in some other
authenticated way).  If I have a malicious user at my console logged in
as me, I've got more problems than web form passwords being revealed.

Am I reading this incorrectly?

> Apple Safari on Macosx may reveal user's saved passwords. A local user
with
> legitimate access to the system is able to steal keychained password
by injecting
> javascripts into a loaded webpage via applescript.
> It seems that safari fails to validate the source of injected code,
however apple
> belives this is the correct behaviour so no fixes will be made
available.

Powered by blists - more mailing lists