Older Safari for Mac Stores Unencrypted Passwords

| News

Apple's Safari Web browser for the Mac may be convenient, but that comes at the price of security through the app's ability to restore open webpages after relaunching. The problem, according to security analysis company Kaspersky Labs, is that Safari 6.0.5 stores the passwords for site logins in an unencrypted file, which means anyone that knows where to look can potentially read your site credentials without any special software.

Safari 6.0.5 flaw can expose website passwordsSafari 6.0.5 flaw can expose website passwords

Kaspersky Labs' Vyachaslav Zakorzhevsky said Safari "doesn't encrypt previous sessions and stores them in a standard plist file that is freely accessible. As a result, it's easy to find a user's login credentials."

The file that holds site and session data is tucked away in a hidden folder, but that doesn't keep the information safe from anyone with more than a rudimentary understanding of OS X.

The upside is that Apple has fixed the security flaw as of Safari 6.1, which is the version of the browser that ships with OS X 10.9 Mavericks. There's also a Safari 6.1 update for OS X Mountain Lion, although the Kaspersky report fails to mention that either is available.

While the security flaw shouldn't have ever been there, Apple has corrected the issue with the release of OS X Mavericks and through a software update for Mountain Lion. If your Mac runs Mavericks, the security flaw isn't there, and Mountain Lion users that regularly run Software Update have been safe since October, too.

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

3 Comments

waltp

Would the person trying to access this unencrypted file need to have physical access to your computer? If so, this threat seems to be very remote for most folks who use a Mac at home.

Lee Dronick

  The upside is that Apple has fixed the security flaw as of Safari 6.1, which is the version of the browser that ships with OS X 10.9 Mavericks. There’s also a Safari 6.1 update for OS X Mountain Lion, although the Kaspersky report fails to mention that either is available.

Well, they are in the business of selling security.

jbruni

Physical access would not be needed. You only need run a process with the same read access as the owner of the file. This is the sort of vulnerability that would be the target of another vulnerability opened by the likes of Java or Flash. If the Flash process can read the file, it could forward its contents to the command and control.

Log-in to comment