Bugtraq mailing list archives

RE: Apple Safari on MacOSX may reveal user's saved passwords

From: "Lucas, Mark J." <mjlucas () caltech edu>
Date: Mon, 14 May 2007 13:58:23 -0700

If I'm reading this correctly, there has to be a malicious user at the
console of a logged in computer (or connected in some other
authenticated way).  If I have a malicious user at my console logged in
as me, I've got more problems than web form passwords being revealed.

Am I reading this incorrectly?

Apple Safari on Macosx may reveal user's saved passwords. A local user

with

legitimate access to the system is able to steal keychained password

by injecting

javascripts into a loaded webpage via applescript.
It seems that safari fails to validate the source of injected code,

however apple

belives this is the correct behaviour so no fixes will be made

available.

Current thread:

Apple Safari on MacOSX may reveal user's saved passwords poplix (May 14)
- RE: Apple Safari on MacOSX may reveal user's saved passwords Lucas, Mark J. (May 14)
  - Re: Apple Safari on MacOSX may reveal user's saved passwords stephen joseph butler (May 16)
- <Possible follow-ups>
- RE: Apple Safari on MacOSX may reveal user's saved passwords mailbox () martinelli com (May 14)
  - RE: Apple Safari on MacOSX may reveal user's saved passwords samelinux (May 15)
- Re: RE: Apple Safari on MacOSX may reveal user's saved passwords poplix (May 15)
  - Re: Apple Safari on MacOSX may reveal user's saved passwords David Cantrell (May 16)
    - Re: Apple Safari on MacOSX may reveal user's saved passwords graham . coles (May 16)
    - Re: Apple Safari on MacOSX may reveal user's saved passwords Ian Ward Comfort (May 16)
    - Re: Apple Safari on MacOSX may reveal user's saved passwords David Cantrell (May 17)
    - Re: Apple Safari on MacOSX may reveal user's saved passwords graham . coles (May 17)
    - Re: Apple Safari on MacOSX may reveal user's saved passwords poplix (May 18)

(Thread continues...)