lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 28 Feb 2008 18:28:51 -0800
From: Jacob Appelbaum <jacob@...elbaum.net>
To: oc photon <ocphoton@...il.com>
Cc: bugtraq@...urityfocus.com, Matt Johnston <matt@....asn.au>,
	Bill Paul <wpaul@...nesium.net>
Subject: Re: Loginwindow.app and Mac OS X

oc photon wrote:
> n Thu, Feb 28, 2008 at 1:56 PM, Jacob Appelbaum <jacob@...elbaum.net> wrote:
>> Moin moin Bugtraq readers,
>>
>>  Bill Paul and I have discovered that LoginWindow.app doesn't clear
>>  credentials after a user is authenticated.
> This has already been discovered in 2004. While the author only looks
> at swap files, it is obvious that this is the same bug.
> 
> http://seclists.org/bugtraq/2004/Jun/0417.html
> 
> 

Thanks for the heads up. It's very possible that this is the same bug
but obviously we found it in a different context. It surely seems like
it may be the original that Apple would not discuss with us.

The bug number it was duped against was over 2 million bugs prior. Does
that sound like Apple knew about this for nearly _4_ years (!) and
didn't do anything about it?

That's seriously pathetic if it's actually that case!

Regards,
Jacob Appelbaum

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ