ID: IRCNE2013122042
Date: 2013-12-14
According to "zdnet", Kaspersky researchers have discovered that Apple's Safari web browser on OS X stores session information, including the username and password, in a plain text XML file, available for any user to read.
Like many other browsers, Safari can save the locations and state of open web pages when the user exits in order to reestablish then when the browser is reopened. When Safari does this, according to Kaspersky researcher Vyacheslav Zakorzhevsky, it saves the session state in a file named LastSession.plist. The file is in a hidden directory, but access to it is not restricted. The data in the file is unencrypted, even if the session itself used HTTPS.
Kaspersky says they have confirmed the issue on these versions of OS X and Safari:
OSX10.8.5, Safari 6.0.5 (8536.30.1)
OSX10.7.5, Safari 6.0.5 (7536.30.1)
The potential downside is that a malicious user or program, even with an unprivileged account, could gain access to a user's web site login credentials. Kaspersky says "As far as we are concerned, storing unencrypted confidential information with unrestricted access is a major security flaw that gives malicious users the opportunity to steal user data with a minimum of effort."
They have informed Apple, but have not yet received a response.
- 2