Register FAQ / Rules Forum Spy Search Today's Posts Mark Forums Read
Go Back   MacRumors Forums > News and Article Discussion > Mac Blog Discussion

Reply
 
Thread Tools Search this Thread Display Modes
Old Dec 13, 2013, 11:50 AM   #1
MacRumors
macrumors bot
 
Join Date: Apr 2001
Older Versions of Safari Store Login Info in Plain Text




Older versions of Safari for Mac store unencrypted user login credentials in a plain text file, according to security firm Kaspersky (via ZDNet). Safari saves the information in order to restore a previous browsing session, reopening all sites, even those that require authentication using the browser's "Reopen All Windows from Last Session" functionality.

Plist file screenshot showing login credentials from Kaspersky
Quote:
It turns out that Safari for Mac OS, like many other contemporary browsers, can restore the previous browsing session. In other words, all the sites that were open in the previous session - even those that required authorization - can be restored in a few simple steps when the browser is launched. Convenient? Of course. Safe? No, unfortunately.
Safari 6.0.5 for OS X 10.8.5 and 10.7.5 does not encrypt previous sessions, storing them instead in a standard LastSession.plist file that includes website usernames and passwords. Though the file is located in a hidden folder, it is still easily accessible and can be opened on any system.

Apple fixed this issue in Safari 6.1, which was released alongside OS X 10.9 Mavericks. Mac users running Mavericks or those who have installed the Safari 6.1 update for OS X 10.8 Mountain Lion or OS X 10.7 Lion will not be affected. This problem is limited to users running Safari 6.0.5 and can be remedied by upgrading to the latest software.

Article Link: Older Versions of Safari Store Login Info in Plain Text
MacRumors is offline   0 Reply With Quote
Old Dec 13, 2013, 11:52 AM   #2
nepalisherpa
macrumors 65816
 
Join Date: Aug 2011
Location: USA
I'm glad I never use/used any "password saving" features.
__________________
Macbook Air 11" 2013/i7/8GB RAM/250GB SSD
iPhone 5 32GB Black
nepalisherpa is offline   2 Reply With Quote
Old Dec 13, 2013, 11:52 AM   #3
osx11
macrumors 6502a
 
Join Date: Jan 2011
Sometimes it amazes me how simple things like this go unnoticed for so long.
osx11 is offline   8 Reply With Quote
Old Dec 13, 2013, 12:01 PM   #4
john.jansen
macrumors newbie
 
Join Date: May 2012
Thats totally misleading, firstly there is no point in encrypting data which can be seen in the browser address bar when the previous session is restored. Secondly, those are url params, sent in plain text over the wire. The problem with the example shown is not at the browser end, its the site at the other end which uses url params for auth over http not https.

Storm in a teacup anyone?
john.jansen is offline   22 Reply With Quote
Old Dec 13, 2013, 12:01 PM   #5
batchtaster
macrumors 6502a
 
Join Date: Mar 2008
Has nobody looked at Firefox's Saved Passwords feature? Literally the only security is a button labeled "Show Passwords". And it's been that way for years.

batchtaster is offline   11 Reply With Quote
Old Dec 13, 2013, 12:06 PM   #6
iParis
macrumors 68040
 
iParis's Avatar
 
Join Date: Jul 2008
Location: New Mexico
Send a message via AIM to iParis Send a message via MSN to iParis
Quote:
Originally Posted by batchtaster View Post
Has nobody looked at Firefox's Saved Passwords feature? Literally the only security is a button labeled "Show Passwords". And it's been that way for years.

Image
Whether or not people have realized this, Apple's the bad guy we're supposed to criticize every move from, remember? /sarcasm
iParis is offline   4 Reply With Quote
Old Dec 13, 2013, 12:08 PM   #7
OldSchoolMacGuy
macrumors 6502a
 
OldSchoolMacGuy's Avatar
 
Join Date: Jul 2008
Why bother with the few passwords in Safari when you can easily grab everything in the Keychain and have been able to for years.
OldSchoolMacGuy is offline   2 Reply With Quote
Old Dec 13, 2013, 12:27 PM   #8
Northgrove
macrumors 6502a
 
Join Date: Aug 2010
Is it just me, or is that password encoded in the URL itself?

That's risking security breaches like mad if true, Safari or not.

"Oh hai, I found your password in your browser history. And hey, here I saw it once again when the address bar autocompleted your URL and I was sitting next to you!" (I'm probably missing a lot of completely different scenarios)

I think it is a bit much to expect Safari to encode the URL info itself. That one should never contain sensitive info.

----------

Quote:
Originally Posted by john.jansen View Post
Thats totally misleading, firstly there is no point in encrypting data which can be seen in the browser address bar when the previous session is restored. Secondly, those are url params, sent in plain text over the wire. The problem with the example shown is not at the browser end, its the site at the other end which uses url params for auth over http not https.

Storm in a teacup anyone?
Yeah, this is completely insecure anyway. I had even missed that it used http and not even https, so yes, it's sent in cleartext on all browsers over the wire.
__________________
iPhone 5 rMBP 15" (2012)
Northgrove is offline   3 Reply With Quote
Old Dec 13, 2013, 12:38 PM   #9
snowmoon
macrumors 6502a
 
Join Date: Oct 2005
Location: Albany, NY
Send a message via AIM to snowmoon
Quote:
Originally Posted by Northgrove View Post
Is it just me, or is that password encoded in the URL itself?
Yep, if the site stores the password on the URL then it's captured here, as well as your browsing history, any transparent firewall or proxy services, ....
__________________
UMBP 2.4 15" replacement for a MBP2,2 with a boatload of issues.
snowmoon is offline   1 Reply With Quote
Old Dec 13, 2013, 12:39 PM   #10
Squilly
macrumors 68000
 
Squilly's Avatar
 
Join Date: Nov 2012
Location: PA
I have no idea how they managed to let this slip. They're all about security.
__________________
iPhone 5s 16gb Space Gray Sprint
Squilly is offline   0 Reply With Quote
Old Dec 13, 2013, 12:52 PM   #11
mathcolo
macrumors 6502a
 
mathcolo's Avatar
 
Join Date: Sep 2008
Location: Massachusetts
Quote:
Originally Posted by batchtaster View Post
Has nobody looked at Firefox's Saved Passwords feature? Literally the only security is a button labeled "Show Passwords". And it's been that way for years.

Image
That requires user interaction to read though...quite presumably a malicious program elsewhere on the system wouldn't be able to read the data.
__________________
13" MacBook Pro Retina - 2.6 GHz i5 - 512GB SSD - 8GB RAM
- Google Nexus 5
[Retired]13" MacBook Pro - 2.53 GHz C2D - 240GB SSD - 8GB RAM
[Retired]- Samsung Galaxy Nexus LTE
mathcolo is offline   0 Reply With Quote
Old Dec 13, 2013, 12:52 PM   #12
wannger27
macrumors newbie
 
Join Date: Jul 2007
Quote:
Originally Posted by OldSchoolMacGuy View Post
Why bother with the few passwords in Safari when you can easily grab everything in the Keychain and have been able to for years.
Because the Keychain is encrypted.
wannger27 is offline   2 Reply With Quote
Old Dec 13, 2013, 01:15 PM   #13
mw360
macrumors 6502a
 
Join Date: Aug 2010
Quote:
Originally Posted by john.jansen View Post
Thats totally misleading, firstly there is no point in encrypting data which can be seen in the browser address bar when the previous session is restored. Secondly, those are url params, sent in plain text over the wire. The problem with the example shown is not at the browser end, its the site at the other end which uses url params for auth over http not https.

Storm in a teacup anyone?
What you're saying makes complete sense, but... it can't be that simple. All those sites, and MacRumors reporting it as if it were a scandal. There must be more to it.
mw360 is offline   0 Reply With Quote
Old Dec 13, 2013, 01:24 PM   #14
Parasprite
macrumors 6502a
 
Join Date: Mar 2013
While the security here is more akin to in-browser "Show Password"-type buttons (Firefox, Chrome) than the article (plaintext - exploitable by simple text searching) I'm nonetheless amazed that already auto-completed passwords can be seen by right-clicking the password box and hitting "inspect element".

Quote:
Originally Posted by Northgrove View Post
Is it just me, or is that password encoded in the URL itself?
I sometimes type a portion of my password into the history search box to see if anything will come up. I haven't seen anything yet, but I would'n doubt it (there are some pretty bad coders out there).

Now if only Chrome had a better history search...
__________________
Has anyone, anywhere, ever actually used ~/Pictures/iPod Photo Cache/ for anything besides deleting or hiding it?
Parasprite is offline   0 Reply With Quote
Old Dec 13, 2013, 01:25 PM   #15
Goozak
macrumors newbie
 
Join Date: Feb 2009
Location: Montreal, QC
Quote:
Originally Posted by john.jansen View Post
... those are url params, sent in plain text over the wire. ...
The textual representation is the same between POST and GET data; the difference being that GET data uses the URL for transmission, while POST data does not. I would venture that the screenshot actually shows POST data (which probably was sent over HTTPS).
Goozak is offline   2 Reply With Quote
Old Dec 13, 2013, 01:38 PM   #16
baryon
macrumors 68030
 
baryon's Avatar
 
Join Date: Oct 2009
Next: Your iCloud Keychain can be accessed in plain text by anyone anywhere.

The point is: the only place any information is safe is in your HEAD.
__________________
Sent from my iPod Shuffle
baryon is offline   0 Reply With Quote
Old Dec 13, 2013, 01:38 PM   #17
Dave-Z
macrumors member
 
Join Date: Jun 2012
Well, most people (should) go by the motto: Physical access = full access. So this issue is kind of moot.

Nevertheless, regardless of the protocol (SSL or otherwise), this seems like a stupid oversight and should never have occurred to begin with.
Dave-Z is offline   1 Reply With Quote
Old Dec 13, 2013, 01:40 PM   #18
cantona1995
macrumors newbie
 
Join Date: Mar 2013
Quote:
Originally Posted by batchtaster View Post
Has nobody looked at Firefox's Saved Passwords feature? Literally the only security is a button labeled "Show Passwords". And it's been that way for years.

Image
But you need to enter the Master Password to see them and the file that contains the passwords on the filesystem has its contents encrypted so not the same at all
cantona1995 is offline   5 Reply With Quote
Old Dec 13, 2013, 01:53 PM   #19
brianb568
macrumors newbie
 
Join Date: Apr 2013
Haha. Somebody is using GET for passwords! Seriously. Use POST with HTTPS.
brianb568 is offline   1 Reply With Quote
Old Dec 13, 2013, 01:56 PM   #20
OldSchoolMacGuy
macrumors 6502a
 
OldSchoolMacGuy's Avatar
 
Join Date: Jul 2008
Quote:
Originally Posted by wannger27 View Post
Because the Keychain is encrypted.
What's the default state of the Keychain? Nice and open for everyone to access.
OldSchoolMacGuy is offline   0 Reply With Quote
Old Dec 13, 2013, 02:10 PM   #21
benyu
macrumors newbie
 
Join Date: Dec 2013
Quote:
Originally Posted by cantona1995 View Post
But you need to enter the Master Password to see them and the file that contains the passwords on the filesystem has its contents encrypted so not the same at all
Maybe they meant in Google Chrome, because in Chrome you don't need to enter any password whatsoever. Someone on your computer (just using it for a few seconds even), can open Chrome, go to preferences, select "Advanced Settings" at the bottom, select "Manage saved passwords", then "Show password"! No password entry required to show the password in plain text! At least the Mac OS X Keychains are locked with the login password by default.

As for this supposed "security issue" with old versions of Safari, it seems a moot point to encrypt this data from the last session if the user/pass is in plain text in the URL itself. That's the website's security hole, not Safari's.
benyu is offline   3 Reply With Quote
Old Dec 13, 2013, 02:12 PM   #22
kycophpd
macrumors 6502
 
Join Date: Jun 2009
Quote:
Originally Posted by baryon View Post
Next: Your iCloud Keychain can be accessed in plain text by anyone anywhere.

The point is: the only place any information is safe is in your HEAD.
NOTHING is safe in my head. It is a scary place.
__________________
13" Retina MacBook Pro 2.6GHz, Apple Verizon iPhone 5S Gold 32GB Unlimited Data, iPad Air Black 64GB Verizon
kycophpd is offline   4 Reply With Quote
Old Dec 13, 2013, 02:16 PM   #23
Parasprite
macrumors 6502a
 
Join Date: Mar 2013
Quote:
Originally Posted by OldSchoolMacGuy View Post
What's the default state of the Keychain? Nice and open for everyone to access.
Really? I always have to enter a user password when accessing any password (via "show password") despite the keychain appearing "Unlocked". Even on the "Limited" user profile that I have set up with no password*, it still always asks for a password (which was mildly confusing at first) to which submitting it blank would reveal the password.

Unlike Chrome, which doesn't even give me the courtesy of offering a false sense of security.

*Yeah, yeah. I know...
__________________
Has anyone, anywhere, ever actually used ~/Pictures/iPod Photo Cache/ for anything besides deleting or hiding it?
Parasprite is offline   2 Reply With Quote
Old Dec 13, 2013, 03:10 PM   #24
OldSchoolMacGuy
macrumors 6502a
 
OldSchoolMacGuy's Avatar
 
Join Date: Jul 2008
Quote:
Originally Posted by Parasprite View Post
Really? I always have to enter a user password when accessing any password (via "show password") despite the keychain appearing "Unlocked". Even on the "Limited" user profile that I have set up with no password*, it still always asks for a password (which was mildly confusing at first) to which submitting it blank would reveal the password.

Unlike Chrome, which doesn't even give me the courtesy of offering a false sense of security.

*Yeah, yeah. I know...
OS X ships with the normal default state being that the Keychain is unlocked. Makes things much easier for the general user so most don't change that but also makes things less secure.
OldSchoolMacGuy is offline   0 Reply With Quote
Old Dec 13, 2013, 03:34 PM   #25
clukas
macrumors 6502a
 
clukas's Avatar
 
Join Date: May 2010
Quote:
Originally Posted by nepalisherpa View Post
I'm glad I never use/used any "password saving" features.
Same here. I dont even know most of my passwords now since I started using Lastpass last year anyways.
__________________
 iMac 27 (Late 2012)  13" 2010 MacBook Pro (Mid 2010)  iPod Touch 3nd Gen 8 GB  iPhone 5  iPad 4 ATV
clukas is offline   1 Reply With Quote

Reply
MacRumors Forums > News and Article Discussion > Mac Blog Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 02:36 PM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC