Skip to content

MAC OS SAFARI – Loophole in Safari


Safari, however, doesn’t encrypt previous sessions and stores them in a standard plist file that is freely accessible. As a result, it’s easy to find a user’s login credentials: 

Screenshot of a plist file following an attempt to log in to Gmail

It’s pretty clear that the login and password are not encrypted (see the red oval in the screenshot).

The complete authorized session on the site is saved in the plist file in full view despite the use of https. The file itself is located in a hidden folder, but is available for anyone to read.

The system can easily open a plist file. It stores information about the saved session – including http requests encrypted using a simple Base64 encoding algorithm – in a structured format.  

An open plist file

There is a function in Safari – ‘Reopen All Windows from Last Session’ – that allows sites to be opened exactly as they were at the end of the previous session. This is the function that uses LastSession.plist.

The ‘Reopen All Windows from Last Session’ function in Safari

The function is available in the following versions of Mac OS X and Safari:

  • OSX10.8.5, Safari 6.0.5 (8536.30.1)
  • OSX10.7.5, Safari 6.0.5 (7536.30.1)

You can just imagine what would happen if cybercriminals or a malicious program got access to the LastSession.plist file on a system where the user logs in to Facebook, Twitter, LinkedIn or their online bank account.  

As far as we are concerned, storing unencrypted confidential information with unrestricted access is a major security flaw that gives malicious users the opportunity to steal user data with a minimum of effort.   

We have informed Apple about the problem.

At the current time we can’t confirm whether or not there is malicious code out there that targets this file, but we’re ready to bet that it won’t be long before it appears.

From → MAC OS, Uncategorized

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: