The peeps behind Kaspersky Labs’ Securelist blog have uncovered an Easter Egg in Safari, which they claim lists user IDs and passwords in plaintext.
The problem relates to Safari’s retention of browser history as used in the “Reopen All Windows from Last Session” feature — which enables users to easily revisit sites they opened during previous Safari sessions.
However, Kaspersky has found that the document Safari creates to make this restoration possible also renders user IDs and passwords in plaintext. The file itself is hidden, but isn’t hard to find when you know what it is that you’re looking for.
And as Kaspersky’s blog points out:
“You can just imagine what would happen if cybercriminals or a malicious program got access to the LastSession.plist file on a system where the user logs in to Facebook, Twitter, LinkedIn or their online bank account.
As far as we are concerned, storing unencrypted confidential information with unrestricted access is a major security flaw that gives malicious users the opportunity to steal user data with a minimum of effort.”
There is one good bit of news: Kaspersky says the problem only affects OSX10.8.5 running Safari 6.0.5 (8536.30.1) and OSX10.7.5 with Safari 6.0.5 (7536.30.1).
Kaspersky has contacted Apple with its findings.