Password Leakage in Safari

Monday, December 16, 2013 @ 04:12 PM gHale

There is a security hole in some versions of Apple’s Safari web browser where attackers could use the bug to gain password access, researchers said.

The flaw, which effects OSX10.8.5, Safari 6.0.5 (8536.30.1) and OSX10.7.5, Safari 6.0.5 (7536.30.1), exists because of the “Reopen All Windows from Last Session” feature, said researchers at Kaspersky Lab.

Google Fixes Chrome Hole
Security Fixes for Firefox 25
Browser Security Warnings Effective
Security Holes Fixed in Chrome

This reopen feature allows users to restore their previous sessions to the exact way they were before the session closed out. This means if a user logged in to a website before closing the session, when he or she restores the session, he or she will automatically be up and running on that site.

For this technology to work, Safari stores the information in a file located in a hidden folder. Unfortunately, the sensitive data does not end up encrypted.

The file in question, LastSession.plist, shows all user credentials in clear text.

“The system can easily open a plist file. It stores information about the saved session – including http requests encrypted using a simple Base64 encoding algorithm – in a structured format,” Vyacheslav Zakorzhevsky, a Kaspersky Lab researcher said in a blog post.

A local attacker would have no problem in accessing the file.

“As far as we are concerned, storing unencrypted confidential information with unrestricted access is a major security flaw that gives malicious users the opportunity to steal user data with a minimum of effort,” Zakorzhevsky said in the blog.

Kaspersky notified Apple of the issue, but it hasn’t revealed if the company plans on doing anything about it.

“At the current time we can’t confirm whether or not there is malicious code out there that targets this file, but we’re ready to bet that it won’t be long before it appears,” Zakorzhevsky said in the blog.

Leave a Reply

You must be logged in to post a comment.