Older Versions of Safari Store Login Info in Plain Text

[rboerdijk]

<sarcasm on>
If the password is visible in plaintext, it means the NSA will catch more terrorists. So this is basically a good thing.
</sarcasm off>

 

[jafingi]

Is it just me, or is that password encoded in the URL itself?

That's risking security breaches like mad if true, Safari or not.

"Oh hai, I found your password in your browser history. And hey, here I saw it once again when the address bar autocompleted your URL and I was sitting next to you!" (I'm probably missing a lot of completely different scenarios)

I think it is a bit much to expect Safari to encode the URL info itself. That one should never contain sensitive info

It's not the URL. It's the POST string That said, it's pretty bad they're storing it as plain text.

 

[Parasprite]

OS X ships with the normal default state being that the Keychain is unlocked. Makes things much easier for the general user so most don't change that but also makes things less secure.

I'm not certain of that. If I lock the keychain it gives me the same behavior on clicking "show password", except instead it asks for the password twice. Are you sure you didn't just click "Always Allow" at some point?

 

[brinary001]

Meh, doesn't bother me that much. They have password protection for the actual computer the browser is running on after all. I don't know. Maybe I'm just old-fashioned.

 

[Parasprite]

Meh, doesn't bother me that much. They have password protection for the actual computer the browser is running on after all. I don't know. Maybe I'm just old-fashioned.

It bothers me more that "it's designed that way" than it actually bothers me based on actual security problems that I'm actually worried about.

 

[9000]

I wish nothing in Mac OS saved windows to be opened later, or at least that it was easy to turn that off. Every time I restart, 100000000000000 Finder windows and some random TextEdit documents open when I log back in. Just plain annoying.

----------

Meh, doesn't bother me that much. They have password protection for the actual computer the browser is running on after all. I don't know. Maybe I'm just old-fashioned.

Well, that password protection is quite thin. You just can't use the screen of that computer. The data is on the hard drive and can be stolen if it needs to be. Not a problem for me, though.

 

[9000]

OS X ships with the normal default state being that the Keychain is unlocked. Makes things much easier for the general user so most don't change that but also makes things less secure.

Not by default.

 

[Parasprite]

I wish nothing in Mac OS saved windows to be opened later, or at least that it was easy to turn that off. Every time I restart, 100000000000000 Finder windows and some random TextEdit documents open when I log back in. Just plain annoying.

Personally, I haven't had any issues since Mavericks. Whatever I left open will resume (as it's designed to do). The only exception to this is Microsoft Word/PowerPoint/Excel which always open a new document when I restart without quitting.

That being said...

Have you tried un-ticking the box that says "re-open windows when logging back in"?
Have you tried closing them before you restart? (Don't just quit the app.)
Have you tried using just one Finder window (I kid, I kid)

 

[9000]

Have you tried un-ticking the box that says "re-open windows when logging back in"?
Have you tried closing them before you restart? (Don't just quit the app.)
Have you tried using just one Finder window (I kid, I kid)

It usually ignores my choice for "re-open windows when logging back in". It keeps them closed if I close them all before the reboot except (I think) in the case of Finder. And your last (joke) suggestion might not even work

 

[iSee]

Thats totally misleading, firstly there is no point in encrypting data which can be seen in the browser address bar when the previous session is restored. Secondly, those are url params, sent in plain text over the wire. The problem with the example shown is not at the browser end, its the site at the other end which uses url params for auth over http not https.

Storm in a teacup anyone?

BOOM! You just sunk Kaspersky's battle ship.

 

[John.B]

Has nobody looked at Firefox's Saved Passwords feature? Literally the only security is a button labeled "Show Passwords". And it's been that way for years.

Image

All I noticed was the fugly UI.

That said, I think you're missing the configuration option one screen back that lets you set a master password (at least that's how it works on a Mac).

 

[Eraserhead]

Has nobody looked at Firefox's Saved Passwords feature? Literally the only security is a button labeled "Show Passwords". And it's been that way for years.

Image

That's not the case if you set the master password in Firefox.

 

[grahamperrin]

… Keychain? Nice and open for everyone …

That's misleading. See the Access Control tab for a keychain item.

 

[coolfactor]

Is it just me, or is that password encoded in the URL itself?

That's just you not understanding how HTML Form submissions work. All data gets encoded in that way for standard forms for any website. What keeps it secure is the pipe it travels over. So the form should be getting submitted over an HTTPS (S for Secure) pipe instead of the non-secure HTTP protocol.

It appears that Safari is just holding on to the session info from the original login submission and then resubmitting when authorized by the user.

 

[Schlaefer]

I tested it with an https POST login form. Safari stores the send form data incl. password in cleartext.

E.g. der forums.macrumors.com login:

Oú@Tqe⁄ûÎ!Bapplication/x-www-form-urlencodedsˆâvb_login_username=testuser&vb_login_password=testpassword&s=&securitytoken=guest&do=login&vb_login_md5password=&vb_login_md5password_utf=ÚíÒûÎSqe⁄ûÎ8https://forums.macrumors.com/Ä?ˇˇˇˇ_MacRumors Forums_.https://forums.macrumors.com/login.php?do=login_.https://forums.macrumors.com/login.php?do=login

Storm in a teacup anyone?

Nope.

 

[wannger27]

What's the default state of the Keychain? Nice and open for everyone to access.

No, it's not. The Keychain is always encrypted, and it's unlocked when you login. To prove this to yourself, try opening another user's Keychain on your computer. You won't be able to read it without that user's login credentials.

 

[SlCKB0Y]

Thats totally misleading, firstly there is no point in encrypting data which can be seen in the browser address bar when the previous session is restored. Secondly, those are url params, sent in plain text over the wire.

I can't believe this post got up-voted so much.

You haven't demonstrated that the contents in LastSession.plist do contain raw URL data.

Congratulations for using big words and almost sounding like you know what you are talking about though.

----------

I tested it with an https POST login form. Safari stores the send form data incl. password in cleartext.

E.g. der forums.macrumors.com login:

Oú@Tqe⁄ûÎ!Bapplication/x-www-form-urlencodedsˆâvb_login_username=testuser&vb_login_password=testpassword&s=&securitytoken=guest&do=login&vb_login_md5password=&vb_login_md5password_utf=ÚíÒûÎSqe⁄ûÎ8https://forums.macrumors.com/Ä?ˇˇˇˇ_MacRumors Forums_.https://forums.macrumors.com/login.php?do=login_.https://forums.macrumors.com/login.php?do=login

Nope.

My Goodness! Some who actually reproduced the issue before running their mouth on the internet! Bet he won't get +18 though like the other guy making things up!

 

[JGRE]

Has nobody looked at Firefox's Saved Passwords feature? Literally the only security is a button labeled "Show Passwords". And it's been that way for years.

Image

LastPass in no better, once you'r in (and it can do so automatically) you can view all the passwords. I am using lastpass, but not for paypal, creditcard or bank; it just sucks.

 

[OldSchoolMacGuy]

Not by default.

I have several factory direct Macs right here. By default the Keychain is open when creating an account when first setting your Mac up. Has been that way since OS X was first released.

----------

That's misleading. See the Access Control tab for a keychain item.

You have to change default settings to do that. Which is something very few ever do.

----------

No, it's not. The Keychain is always encrypted, and it's unlocked when you login. To prove this to yourself, try opening another user's Keychain on your computer. You won't be able to read it without that user's login credentials.

You said yourself, the Keychain is unlocked when you login. All passwords can easily taken from it when any user is logged in.

 

[9000]

I have several factory direct Macs right here. By default the Keychain is open when creating an account when first setting your Mac up. Has been that way since OS X was first released.

Oops, I was referring to something else. The keychain is unlocked; however, even when it's unlocked, you can't open Keychain Access and check the passwords without it asking for your login password. There's an "always allow" button in that prompt, and I'm guessing it would allow anyone to grab the passwords without a login password, but that's non-default.

----------

Has nobody looked at Firefox's Saved Passwords feature? Literally the only security is a button labeled "Show Passwords". And it's been that way for years.

Image

I heard Chrome has a dumb password security flaw too. Basically it's always unlocked when the user is logged in. One of my friends hijacked another friend's email that way (no damage done). Can't they all get it right? Should not have ever been a problem.

----------

Thats totally misleading, firstly there is no point in encrypting data which can be seen in the browser address bar when the previous session is restored. Secondly, those are url params, sent in plain text over the wire. The problem with the example shown is not at the browser end, its the site at the other end which uses url params for auth over http not https.

Storm in a teacup anyone?

What version of computing technology are you using? 100% wrong.

 

[brinary001]

I wish nothing in Mac OS saved windows to be opened later, or at least that it was easy to turn that off. Every time I restart, 100000000000000 Finder windows and some random TextEdit documents open when I log back in. Just plain annoying.

----------



Well, that password protection is quite thin. You just can't use the screen of that computer. The data is on the hard drive and can be stolen if it needs to be. Not a problem for me, though.

Ah, you make a good point my friend. Didn't think of that.

 

[MasterMac]

You said yourself, the Keychain is unlocked when you login. All passwords can easily taken from it when any user is logged in.

They keychain is unlocked, but the passwords are not visible unless you input the login password. So, if I go sit down on Joe Computer User's laptop while he's in the other room, I won't be able to see any of the keychain's passwords unless I know his login password, even if his computer is logged into his account.

 

[Schlaefer]

They keychain is unlocked, but the passwords are not visible unless you input the login password. So, if I go sit down on Joe Computer User's laptop while he's in the other room, I won't be able to see any of the keychain's passwords unless I know his login password, even if his computer is logged into his account.

Keychain.app is just one frontend for the actual keychain. Making one app asking for the password provides no security.

You can easily use the terminal, bring your own app (USB-Stick), use another third party app (like Chrome) to access the keychain.

If Joe is in the other room and he's logged in while the keychain is open you don't need a password to read his keychain.

 

[locust76]

That's not the case if you set the master password in Firefox.

IF you set the master password in Firefox.

I've installed it many times, and I don't remember ever being prompted to enter a master password, so I'd assume the vast majority of FireFox users do not have a master password enabled, making the master password pretty much useless.

 

[OldSchoolMacGuy]

Oops, I was referring to something else. The keychain is unlocked; however, even when it's unlocked, you can't open Keychain Access and check the passwords without it asking for your login password. There's an "always allow" button in that prompt, and I'm guessing it would allow anyone to grab the passwords without a login password, but that's non-default..

Dependent on how the request is issued, all that is required is simply clicking the "Allow" button. A program can simply request access then click the button itself.

----------

They keychain is unlocked, but the passwords are not visible unless you input the login password. So, if I go sit down on Joe Computer User's laptop while he's in the other room, I won't be able to see any of the keychain's passwords unless I know his login password, even if his computer is logged into his account.

Again, it depends on what request is issued.

It's easy enough to request access then have the program itself click "Allow" and grab the password.