Safari on Mac OS exposes web login credentials

Safari on Mac OS exposes web login credentials

Summary: [UPDATE] Kaspersky research shows that Safari, in saving a session for reopening later, stores session information in plain text. This includes usernames and passwords. This problem was fixed in Safari 6.1 and only affects earlier versions.

SHARE:
TOPICS: Security, Apple
93

Kaspersky researchers have discovered that Apple's Safari web browser on OS X stores session information, including the username and password, in a plain text XML file, available for any user to read.

[UPDATE: I have checked with Kaspersky and they say that this problem was fixed in Safari 6.1. This fact is not in their blog, or at least it wasn't in the initial version. Since Safari 6.1 comes by default on OS X 10.9 (Mavericks), users on that OS are not affected. Apple also did supply a Safari 6.1 update for OS X 10.8 (Mountain Lion) and OS X 10.7 (Lion), so users who apply that update will not be vulnerable.]

Like many other browsers, Safari can save the locations and state of open web pages when the user exits in order to reestablish then when the browser is reopened. When Safari does this, according to Kaspersky researcher Vyacheslav Zakorzhevsky, it saves the session state in a file named LastSession.plist. The file is in a hidden directory, but access to it is not restricted. The data in the file is unencrypted, even if the session itself used HTTPS.

safari.plist.gmail.login
A Safari plist file following an attempt to log in to Gmail

Kaspersky says they have confirmed the issue on these versions of OS X and Safari:

  • OSX10.8.5, Safari 6.0.5 (8536.30.1)
  • OSX10.7.5, Safari 6.0.5 (7536.30.1)

They say nothing in their blog about 10.9, the current and only supported version; we are researching this and will update this article if we learn more. They also don't say if the same problem exists on Safari on other platforms, basically Windows and iOS. [UPDATE: As I mention above, OS X 10.9 and earlier versions running Safari 6.1 are not vulnerable.]

The potential downside is that a malicious user or program, even with an unprivileged account, could gain access to a user's web site login credentials. Kaspersky says "As far as we are concerned, storing unencrypted confidential information with unrestricted access is a major security flaw that gives malicious users the opportunity to steal user data with a minimum of effort."

They have informed Apple, but have not yet received a response.

[UPDATE: There really isn't anything for Apple to respond to; they have addressed the problem in Safari 6.1, although they did not mention such a fix in their vulnerability disclosure for that version.]

Topics: Security, Apple

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

93 comments
Log in or register to join the discussion
  • unbelievable, Apple is atrocious on security

    For all their stone throwing at others this kind of issue is unforgivable and their support stance on only supporting the latest release is unconscionable. Apple has no place at the enterprise table. Apples security posture is unvetted and by all indications is virtually non existent.
    greywolf7
    • Do you feel better now?

      I mean, this is obviously something that's been keeping you awake at night. And probably popping antacid pills like candy.
      baggins_z
      • You tell us.

        As we hear these kinds of comments when it comes to Windows.
        ye
        • Not from me.

          So try again.
          baggins_z
    • The same can be said for Google and Microsoft...

      10.9 (supported) doesn't have that issue... Apple's older 10.8 and 10.7 are vulnerable but Apple states they aren't supporting those OS' - You can stamp your feet and have a tizzy fit but no one is holding a gun to anyone's head to purchase their products... But before you go sob on Google's doorstep think about this:

      Google - Producing an OS that almost never gets updates pushed to 99% of it's user base unless they purchase a premium device. 1.1% have Android 4.4 compared to ~95% on iOS... http://developer.android.com/about/dashboards/index.html


      Microsoft - Which has done an admirable job but it has to as it's the defacto standard for 90% of the computers on the planet...

      No go throw a tantrum!
      dragnn
      • Strawman much?

        "No go throw a tantrum!"
        ye
        • Do you even know that a straw man argument is? Clearly not.

          .DeusExMachina.
    • Is that you Toddy? or are you the new hire?

      On a more serious note…this flaw seems to refer to Safari's ability to reopen a web page and restore a session that was open when the application was quit. Can someone tell me if the password is still stored and accessible in this way if the window of the session was closed prior to quitting or if the session itself was closed (user logged out of the session)? In other words, if I log out or simply close the window before quitting Safari, am I protected from this. From the article above I would assume so.
      UGottaBKidding
      • Give it a try

        It doesn't appear to be difficult to replicate.
        ye
        • Have you tries to do that under Mavericks a patched Lion or ML machine?

          Those blogged updates sure do wreck a troll's day. Grin
          kenosha77a
    • Interesting response to an inaccurate initial blog post

      Trolls should do their homework before posting a comment. Just a suggestion for you.
      kenosha77a
    • Wrong compare it to Microsoft junk.

      If you read the article and know Apple products, the newest OS which is free called Mavericks, I used to do eWorld's customer letters in the nineties and I felt everyone using a Mac won't pay a dine for anything. No software is perfect. Mavericks is a free upgrade if you bought a computer after the fall of the Roman Empire.
      Rich Barnes
    • read

      the update.
      but yeah, apple is awful. unlike windows security which has cost consumers and businesses billions and billions of dollars.
      oneleft
  • 6 Months later...

    Apple might actually fix it
    bean520-0b405
    • Will they?

      At this time no one knows if Apple will support "older" operating systems.
      ye
      • This is about Safari, an application,

        not OS X, an operating system.
        baggins_z
        • Doesn't change what I wrote.

          Apple is not supporting "older" (as in an OS that was being sold just two months ago) operating systems. With that said who knows if Apple will make the updated version available for those "older" operating systems.
          ye
          • Nice spin.

            You should try out for the gymnastics team.
            baggins_z