Older Safari for Mac Stores Unencrypted Passwords

Apple's Safari Web browser for the Mac may be convenient, but that comes at the price of security through the app's ability to restore open webpages after relaunching. The problem, according to security analysis company Kaspersky Labs, is that Safari 6.0.5 stores the passwords for site logins in an unencrypted file, which means anyone that knows where to look can potentially read your site credentials without any special software.

Safari 6.0.5 flaw can expose website passwordsSafari 6.0.5 flaw can expose website passwords

Kaspersky Labs' Vyachaslav Zakorzhevsky said Safari "doesn't encrypt previous sessions and stores them in a standard plist file that is freely accessible. As a result, it's easy to find a user's login credentials."

The file that holds site and session data is tucked away in a hidden folder, but that doesn't keep the information safe from anyone with more than a rudimentary understanding of OS X.

The upside is that Apple has fixed the security flaw as of Safari 6.1, which is the version of the browser that ships with OS X 10.9 Mavericks. There's also a Safari 6.1 update for OS X Mountain Lion, although the Kaspersky report fails to mention that either is available.

While the security flaw shouldn't have ever been there, Apple has corrected the issue with the release of OS X Mavericks and through a software update for Mountain Lion. If your Mac runs Mavericks, the security flaw isn't there, and Mountain Lion users that regularly run Software Update have been safe since October, too.