MAC OS SAFARI – Loophole in Safari
Safari, however, doesn’t encrypt previous sessions and stores them in a standard plist file that is freely accessible. As a result, it’s easy to find a user’s login credentials:
It’s pretty clear that the login and password are not encrypted (see the red oval in the screenshot).
The complete authorized session on the site is saved in the plist file in full view despite the use of https. The file itself is located in a hidden folder, but is available for anyone to read.
The system can easily open a plist file. It stores information about the saved session – including http requests encrypted using a simple Base64 encoding algorithm – in a structured format.
There is a function in Safari – ‘Reopen All Windows from Last Session’ – that allows sites to be opened exactly as they were at the end of the previous session. This is the function that uses LastSession.plist.
The function is available in the following versions of Mac OS X and Safari:
- OSX10.8.5, Safari 6.0.5 (8536.30.1)
- OSX10.7.5, Safari 6.0.5 (7536.30.1)
You can just imagine what would happen if cybercriminals or a malicious program got access to the LastSession.plist file on a system where the user logs in to Facebook, Twitter, LinkedIn or their online bank account.
As far as we are concerned, storing unencrypted confidential information with unrestricted access is a major security flaw that gives malicious users the opportunity to steal user data with a minimum of effort.
We have informed Apple about the problem.
At the current time we can’t confirm whether or not there is malicious code out there that targets this file, but we’re ready to bet that it won’t be long before it appears.