Major security flaw!

[gurbinav]

Everyone's talking about how you can unlock the device without a passcode which is minor. Here's what we need to worry about:

Go into Preferences>Safari>Passwords and Autofill>Saved passwords

There you'll find all of your saved passwords in PLAIN TEXT.

 

[Mentat2K]

Uau, that's a "big" finding!

So... do you want to see the password like *****?
What is the use?
You can use that list if you forget a password.

The simple rule is "never let a browser memorise passwords!"

The same thing on desktops!

P.S. Use 1password for logins on Windows/Mac/IOS

 

[MarcusCarpenter]

If you have a pass code lock it asks you for your code when you go into the saved passwords

 

[bbfc]

Everyone's talking about how you can unlock the device without a passcode which is minor. Here's what we need to worry about:

Go into Preferences>Safari>Passwords and Autofill>Saved passwords

There you'll find all of your saved passwords in PLAIN TEXT.

It asks for your passcode when you go to view any password.

 

[matttye]

It should let us set a stronger password for that area!

 

[gurbinav]

I dont have a passcode lock set. My phone rarely leaves my hands and if it were to get stolen I know I would need to change my passwords immediately. That was a risk I was willing to take.

Now, however, instead of having to gain physical access to my phone for a significant amount of time, finding out passwords is a matter of 30 seconds of snooping!

 

[sim667]

I dont have a passcode lock set. My phone rarely leaves my hands and if it were to get stolen I know I would need to change my passwords immediately. That was a risk I was willing to take.

Now, however, instead of having to gain physical access to my phone for a significant amount of time, finding out passwords is a matter of 30 seconds of snooping!

Put a passcode lock on it then.

Anyone who doesnt have a passcode lock deserves to have their details nicked if they lose their phone.

 

[Eresin]

Everyone's talking about how you can unlock the device without a passcode which is minor.

Wait? wut?! This is news to me, care to explain?

 

[marktuk]

It shouldn't display them full stop. It should just show the user name and the fact you have a saved password. The only options should be to delete it, or re-enter it if it has changed.

It shouldn't be a password reminder service, put a "hint" field in for that.

This is pretty basic stuff that was standardised in the software industry years ago.

 

[gurbinav]

@sim
My entire point was losing your phone is no longer a requirement.

----------

@eresin

http://m.bbc.co.uk/news/technology-24170429

 

[Todd B.]

Don't worry, Google says this is all in the name of "promoting security"....

Seriously, though, iCloud Keychain is going to solve this (and you shouldn't be saving passwords in the browser any way).

 

[Steve121178]

Don't worry, Google says this is all in the name of "promoting security"....

Seriously, though, iCloud Keychain is going to solve this (and you shouldn't be saving passwords in the browser any way).

I don't rate Apple's security or their response to security issues so I'll be damned if I'm going to let my passwords sit on Apple's servers.

 

[maflynn]

Please use our existing thread https://forums.macrumors.com/threads/1639964/

 

[maflynn]

[MOD NOTE]
Thread reopened - the linked news story is about a different security flaw. Sorry for the confusion.

 

[gurbinav]

I prefer my passwords stored locally only.