Kaspersky researchers have discovered that Apple's Safari web browser on OS X stores session information, including the username and password, in a plain text XML file, available for any user to read.
[UPDATE: I have checked with Kaspersky and they say that this problem was fixed in Safari 6.1. This fact is not in their blog, or at least it wasn't in the initial version. Since Safari 6.1 comes by default on OS X 10.9 (Mavericks), users on that OS are not affected. Apple also did supply a Safari 6.1 update for OS X 10.8 (Mountain Lion) and OS X 10.7 (Lion), so users who apply that update will not be vulnerable.]
Like many other browsers, Safari can save the locations and state of open web pages when the user exits in order to reestablish then when the browser is reopened. When Safari does this, according to Kaspersky researcher Vyacheslav Zakorzhevsky, it saves the session state in a file named LastSession.plist. The file is in a hidden directory, but access to it is not restricted. The data in the file is unencrypted, even if the session itself used HTTPS.
No comments:
Post a Comment