Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Older Versions of Safari Store Login Info in Plain Text

MacRumors

MacRumors

macrumors bot
Original poster
Apr 12, 2001
63,532
30,841



Older versions of Safari for Mac store unencrypted user login credentials in a plain text file, according to security firm Kaspersky (via ZDNet). Safari saves the information in order to restore a previous browsing session, reopening all sites, even those that require authentication using the browser's "Reopen All Windows from Last Session" functionality.

safari_loophole_01.png
Plist file screenshot showing login credentials from Kaspersky
It turns out that Safari for Mac OS, like many other contemporary browsers, can restore the previous browsing session. In other words, all the sites that were open in the previous session - even those that required authorization - can be restored in a few simple steps when the browser is launched. Convenient? Of course. Safe? No, unfortunately.
Click to expand...
Safari 6.0.5 for OS X 10.8.5 and 10.7.5 does not encrypt previous sessions, storing them instead in a standard LastSession.plist file that includes website usernames and passwords. Though the file is located in a hidden folder, it is still easily accessible and can be opened on any system.

Apple fixed this issue in Safari 6.1, which was released alongside OS X 10.9 Mavericks. Mac users running Mavericks or those who have installed the Safari 6.1 update for OS X 10.8 Mountain Lion or OS X 10.7 Lion will not be affected. This problem is limited to users running Safari 6.0.5 and can be remedied by upgrading to the latest software.

Article Link: Older Versions of Safari Store Login Info in Plain Text
 
Article Link
https://www.macrumors.com/2013/12/13/older-versions-of-safari-store-login-info-in-plain-text/
O

osx11

macrumors 6502a
Jan 16, 2011
825
0
Sometimes it amazes me how simple things like this go unnoticed for so long.
 
john.jansen

john.jansen

macrumors newbie
May 15, 2012
2
0
Walnut Creek, CA
Thats totally misleading, firstly there is no point in encrypting data which can be seen in the browser address bar when the previous session is restored. Secondly, those are url params, sent in plain text over the wire. The problem with the example shown is not at the browser end, its the site at the other end which uses url params for auth over http not https.

Storm in a teacup anyone?
 
B

batchtaster

macrumors 65816
Mar 3, 2008
1,031
217
Has nobody looked at Firefox's Saved Passwords feature? Literally the only security is a button labeled "Show Passwords". And it's been that way for years.

firefox-passwords.png
 
iParis

iParis

macrumors 68040
Jul 29, 2008
3,671
31
New Mexico
batchtaster said:
Has nobody looked at Firefox's Saved Passwords feature? Literally the only security is a button labeled "Show Passwords". And it's been that way for years.

Image
Click to expand...

Whether or not people have realized this, Apple's the bad guy we're supposed to criticize every move from, remember? /sarcasm
 
OldSchoolMacGuy

OldSchoolMacGuy

Suspended
Jul 10, 2008
4,197
9,050
Why bother with the few passwords in Safari when you can easily grab everything in the Keychain and have been able to for years.
 
Northgrove

Northgrove

macrumors 65816
Aug 3, 2010
1,149
437
Is it just me, or is that password encoded in the URL itself?

That's risking security breaches like mad if true, Safari or not.

"Oh hai, I found your password in your browser history. And hey, here I saw it once again when the address bar autocompleted your URL and I was sitting next to you!" (I'm probably missing a lot of completely different scenarios)

I think it is a bit much to expect Safari to encode the URL info itself. That one should never contain sensitive info.

----------
john.jansen said:
Thats totally misleading, firstly there is no point in encrypting data which can be seen in the browser address bar when the previous session is restored. Secondly, those are url params, sent in plain text over the wire. The problem with the example shown is not at the browser end, its the site at the other end which uses url params for auth over http not https.

Storm in a teacup anyone?
Click to expand...
Yeah, this is completely insecure anyway. I had even missed that it used http and not even https, so yes, it's sent in cleartext on all browsers over the wire.
 
M

mathcolo

macrumors 6502a
Sep 14, 2008
860
16
Boston
batchtaster said:
Has nobody looked at Firefox's Saved Passwords feature? Literally the only security is a button labeled "Show Passwords". And it's been that way for years.

Image
Click to expand...

That requires user interaction to read though...quite presumably a malicious program elsewhere on the system wouldn't be able to read the data.
 
mw360

mw360

macrumors 68020
Aug 15, 2010
2,032
2,395
john.jansen said:
Thats totally misleading, firstly there is no point in encrypting data which can be seen in the browser address bar when the previous session is restored. Secondly, those are url params, sent in plain text over the wire. The problem with the example shown is not at the browser end, its the site at the other end which uses url params for auth over http not https.

Storm in a teacup anyone?
Click to expand...

What you're saying makes complete sense, but... it can't be that simple. All those sites, and MacRumors reporting it as if it were a scandal. There must be more to it.
 
Parasprite

Parasprite

macrumors 68000
Mar 5, 2013
1,698
144
While the security here is more akin to in-browser "Show Password"-type buttons (Firefox, Chrome) than the article (plaintext - exploitable by simple text searching) I'm nonetheless amazed that already auto-completed passwords can be seen by right-clicking the password box and hitting "inspect element".

Northgrove said:
Is it just me, or is that password encoded in the URL itself?
Click to expand...

I sometimes type a portion of my password into the history search box to see if anything will come up. I haven't seen anything yet, but I would'n doubt it (there are some pretty bad coders out there).

Now if only Chrome had a better history search...
 
Goozak

Goozak

macrumors newbie
Feb 22, 2009
9
0
Montreal, QC
john.jansen said:
... those are url params, sent in plain text over the wire. ...
Click to expand...

The textual representation is the same between POST and GET data; the difference being that GET data uses the URL for transmission, while POST data does not. I would venture that the screenshot actually shows POST data (which probably was sent over HTTPS).
 
baryon

baryon

macrumors 68040
Oct 3, 2009
3,878
2,929
Next: Your iCloud Keychain can be accessed in plain text by anyone anywhere.

The point is: the only place any information is safe is in your HEAD.
 
D

Dave-Z

macrumors 6502a
Jun 26, 2012
861
1,447
Well, most people (should) go by the motto: Physical access = full access. So this issue is kind of moot.

Nevertheless, regardless of the protocol (SSL or otherwise), this seems like a stupid oversight and should never have occurred to begin with.
 
C

cantona1995

macrumors newbie
Mar 7, 2013
4
0
batchtaster said:
Has nobody looked at Firefox's Saved Passwords feature? Literally the only security is a button labeled "Show Passwords". And it's been that way for years.

Image
Click to expand...

But you need to enter the Master Password to see them and the file that contains the passwords on the filesystem has its contents encrypted so not the same at all
 
benyu

benyu

macrumors newbie
Dec 11, 2013
3
3
cantona1995 said:
But you need to enter the Master Password to see them and the file that contains the passwords on the filesystem has its contents encrypted so not the same at all
Click to expand...

Maybe they meant in Google Chrome, because in Chrome you don't need to enter any password whatsoever. Someone on your computer (just using it for a few seconds even), can open Chrome, go to preferences, select "Advanced Settings" at the bottom, select "Manage saved passwords", then "Show password"! No password entry required to show the password in plain text! At least the Mac OS X Keychains are locked with the login password by default.

As for this supposed "security issue" with old versions of Safari, it seems a moot point to encrypt this data from the last session if the user/pass is in plain text in the URL itself. That's the website's security hole, not Safari's.
 
Parasprite

Parasprite

macrumors 68000
Mar 5, 2013
1,698
144
OldSchoolMacGuy said:
What's the default state of the Keychain? Nice and open for everyone to access.
Click to expand...

Really? I always have to enter a user password when accessing any password (via "show password") despite the keychain appearing "Unlocked". Even on the "Limited" user profile that I have set up with no password*, it still always asks for a password (which was mildly confusing at first) to which submitting it blank would reveal the password.

Unlike Chrome, which doesn't even give me the courtesy of offering a false sense of security. :rolleyes:

*Yeah, yeah. I know...
 
OldSchoolMacGuy

OldSchoolMacGuy

Suspended
Jul 10, 2008
4,197
9,050
Parasprite said:
Really? I always have to enter a user password when accessing any password (via "show password") despite the keychain appearing "Unlocked". Even on the "Limited" user profile that I have set up with no password*, it still always asks for a password (which was mildly confusing at first) to which submitting it blank would reveal the password.

Unlike Chrome, which doesn't even give me the courtesy of offering a false sense of security. :rolleyes:

*Yeah, yeah. I know...
Click to expand...

OS X ships with the normal default state being that the Keychain is unlocked. Makes things much easier for the general user so most don't change that but also makes things less secure.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom