[Micronet] Old Safari versions on Mac OS expose web login credentials | ZDNet

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[Micronet] Old Safari versions on Mac OS expose web login credentials | ZDNet

Ian Crew
Safari on Mac OS exposes web login credentials | ZDNetAll:

FYI.  Apparently this can be fixed very simply by upgrading to Safari 6.1, which is available for Mac OS X 10.7 and 10.8, and comes with Mac OS 10.9.....


Safari on Mac OS exposes web login credentials

Kaspersky researchers have discovered that Apple's Safari web browser on OS X stores session information, including the username and password, in a plain text XML file, available for any user to read.

[UPDATE: I have checked with Kaspersky and they say that this problem was fixed in Safari 6.1. This fact is not in their blog, or at least it wasn't in the initial version. Since Safari 6.1 comes by default on OS X 10.9 (Mavericks), users on that OS are not affected. Apple also did supply a Safari 6.1 update for OS X 10.8 (Mountain Lion) and OS X 10.7 (Lion), so users who apply that update will not be vulnerable.]

Like many other browsers, Safari can save the locations and state of open web pages when the user exits in order to reestablish then when the browser is reopened. When Safari does this, according to Kaspersky researcher Vyacheslav Zakorzhevsky, it saves the session state in a file named LastSession.plist. The file is in a hidden directory, but access to it is not restricted. The data in the file is unencrypted, even if the session itself used HTTPS.

A Safari plist file following an attempt to log in to Gmail

Kaspersky says they have confirmed the issue on these versions of OS X and Safari:

  • OSX10.8.5, Safari 6.0.5 (8536.30.1)
  • OSX10.7.5, Safari 6.0.5 (7536.30.1)

They say nothing in their blog about 10.9, the current and only supported version; we are researching this and will update this article if we learn more. They also don't say if the same problem exists on Safari on other platforms, basically Windows and iOS. [UPDATE: As I mention above, OS X 10.9 and earlier versions running Safari 6.1 are not vulnerable.]

The potential downside is that a malicious user or program, even with an unprivileged account, could gain access to a user's web site login credentials. Kaspersky says "As far as we are concerned, storing unencrypted confidential information with unrestricted access is a major security flaw that gives malicious users the opportunity to steal user data with a minimum of effort."

They have informed Apple, but have not yet received a response.

[UPDATE: There really isn't anything for Apple to respond to; they have addressed the problem in Safari 6.1, although they did not mention such a fix in their vulnerability disclosure for that version.]

Ian Crew
Platform and Services Manager, Research Hub

IST-Architecture, Platforms and Integration (API)
Earl Warren Hall, Second Floor
University of California, Berkeley

The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:


Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.