PDA

View Full Version : Major security flaw!


gurbinav
Sep 20, 2013, 04:15 AM
Everyone's talking about how you can unlock the device without a passcode which is minor. Here's what we need to worry about:

Go into Preferences>Safari>Passwords and Autofill>Saved passwords

There you'll find all of your saved passwords in PLAIN TEXT.

Mentat2K
Sep 20, 2013, 04:19 AM
Uau, that's a "big" finding!

So... do you want to see the password like *****?
What is the use?
You can use that list if you forget a password.

The simple rule is "never let a browser memorise passwords!"

The same thing on desktops!

P.S. Use 1password for logins on Windows/Mac/IOS

MarcusCarpenter
Sep 20, 2013, 04:22 AM
If you have a pass code lock it asks you for your code when you go into the saved passwords

bbfc
Sep 20, 2013, 04:27 AM
Everyone's talking about how you can unlock the device without a passcode which is minor. Here's what we need to worry about:

Go into Preferences>Safari>Passwords and Autofill>Saved passwords

There you'll find all of your saved passwords in PLAIN TEXT.

It asks for your passcode when you go to view any password.

matttye
Sep 20, 2013, 04:45 AM
It should let us set a stronger password for that area!

gurbinav
Sep 20, 2013, 05:31 AM
I dont have a passcode lock set. My phone rarely leaves my hands and if it were to get stolen I know I would need to change my passwords immediately. That was a risk I was willing to take.

Now, however, instead of having to gain physical access to my phone for a significant amount of time, finding out passwords is a matter of 30 seconds of snooping!

sim667
Sep 20, 2013, 05:57 AM
I dont have a passcode lock set. My phone rarely leaves my hands and if it were to get stolen I know I would need to change my passwords immediately. That was a risk I was willing to take.

Now, however, instead of having to gain physical access to my phone for a significant amount of time, finding out passwords is a matter of 30 seconds of snooping!

Put a passcode lock on it then.

Anyone who doesnt have a passcode lock deserves to have their details nicked if they lose their phone.

Eresin
Sep 20, 2013, 05:59 AM
Everyone's talking about how you can unlock the device without a passcode which is minor.

Wait? wut?! This is news to me, care to explain?

marktuk
Sep 20, 2013, 06:09 AM
It shouldn't display them full stop. It should just show the user name and the fact you have a saved password. The only options should be to delete it, or re-enter it if it has changed.

It shouldn't be a password reminder service, put a "hint" field in for that.

This is pretty basic stuff that was standardised in the software industry years ago.

gurbinav
Sep 20, 2013, 06:35 AM
@sim
My entire point was losing your phone is no longer a requirement.

----------

@eresin

http://m.bbc.co.uk/news/technology-24170429

Todd B.
Sep 20, 2013, 06:41 AM
Don't worry, Google says (http://www.theverge.com/2013/8/7/4597018/google-chrome-saved-browser-passwords) this is all in the name of "promoting security"....

Seriously, though, iCloud Keychain is going to solve this (and you shouldn't be saving passwords in the browser any way).

Steve121178
Sep 20, 2013, 06:54 AM
Don't worry, Google says (http://www.theverge.com/2013/8/7/4597018/google-chrome-saved-browser-passwords) this is all in the name of "promoting security"....

Seriously, though, iCloud Keychain is going to solve this (and you shouldn't be saving passwords in the browser any way).

I don't rate Apple's security or their response to security issues so I'll be damned if I'm going to let my passwords sit on Apple's servers.

maflynn
Sep 20, 2013, 06:58 AM
Please use our existing thread http://forums.macrumors.com/showthread.php?t=1639964

maflynn
Sep 20, 2013, 07:26 AM
[MOD NOTE]
Thread reopened - the linked news story is about a different security flaw. Sorry for the confusion.

gurbinav
Sep 20, 2013, 10:41 AM
I prefer my passwords stored locally only.