Safari File Reveals Your User IDs & Passwords In Plain Text

safari_loophole_03

The peeps behind Kaspersky Labs’ Securelist blog have uncovered an Easter Egg in Safari, which they claim lists user IDs and passwords in plaintext.

The problem relates to Safari’s retention of browser history as used in the “Reopen All Windows from Last Session” feature — which enables users to easily revisit sites they opened during previous Safari sessions.

However, Kaspersky has found that the document Safari creates to make this restoration possible also renders user IDs and passwords in plaintext. The file itself is hidden, but isn’t hard to find when you know what it is that you’re looking for.

And as Kaspersky’s blog points out:

“You can just imagine what would happen if cybercriminals or a malicious program got access to the LastSession.plist file on a system where the user logs in to Facebook, Twitter, LinkedIn or their online bank account.

As far as we are concerned, storing unencrypted confidential information with unrestricted access is a major security flaw that gives malicious users the opportunity to steal user data with a minimum of effort.”

There is one good bit of news: Kaspersky says the problem only affects OSX10.8.5 running Safari 6.0.5 (8536.30.1) and OSX10.7.5 with Safari 6.0.5 (7536.30.1).

Kaspersky has contacted Apple with its findings.

  • technochick

    The only way to get to the file is if they have access to the system. Either physical or via some exploit.

    Makes me wonder just how many potential victims there are out there. Is it really that many or is this another case of a security company hyping the issue to get attention

About the author

Luke DormehlLuke Dormehl is a UK-based journalist and author, with a background working in documentary film for Channel 4 and the BBC. He is the author of The Formula: How Algorithms Solve All Our Problems, And Create More and The Apple Revolution, both published by Penguin/Random House. His tech writing has also appeared in Wired, Fast Company, Techmeme, and other publications. He'd like you a lot if you followed him on Twitter.

(sorry, you need Javascript to see this e-mail address)| Read more posts by .

Posted in News | Tagged: , , , |