lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 14 May 2007 13:58:23 -0700 From: "Lucas, Mark J." <mjlucas@...tech.edu> To: <bugtraq@...urityfocus.com> Subject: RE: Apple Safari on MacOSX may reveal user's saved passwords If I'm reading this correctly, there has to be a malicious user at the console of a logged in computer (or connected in some other authenticated way). If I have a malicious user at my console logged in as me, I've got more problems than web form passwords being revealed. Am I reading this incorrectly? > Apple Safari on Macosx may reveal user's saved passwords. A local user with > legitimate access to the system is able to steal keychained password by injecting > javascripts into a loaded webpage via applescript. > It seems that safari fails to validate the source of injected code, however apple > belives this is the correct behaviour so no fixes will be made available.
Powered by blists - more mailing lists