[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <f107df20705160853w703fb1e6lce12f943fcded57d@mail.gmail.com>
Date: Wed, 16 May 2007 10:53:18 -0500
From: "stephen joseph butler" <stephen.butler@...il.com>
To: bugtraq@...urityfocus.com
Subject: Re: Apple Safari on MacOSX may reveal user's saved passwords
On 5/14/07, Lucas, Mark J. <mjlucas@...tech.edu> wrote:
> If I'm reading this correctly, there has to be a malicious user at the
> console of a logged in computer (or connected in some other
> authenticated way). If I have a malicious user at my console logged in
> as me, I've got more problems than web form passwords being revealed.
>
> Am I reading this incorrectly?
No, you're right. Part of the point is that Safari is reading these
passwords from Keychain. And the whole point of Keychain is preventing
unauthorized programs from getting at the datastore. If a rogue
program asked for these passwords directly, then Keychain would
present a dialog alerting the user. But as the applescript shows, the
program can get Safari to essentially act on its behalf.
Powered by blists - more mailing lists