mailing list archives
Re: Apple Safari on MacOSX may reveal user's saved passwords
From: "stephen joseph butler" <stephen.butler () gmail com>
Date: Wed, 16 May 2007 10:53:18 -0500
On 5/14/07, Lucas, Mark J. <mjlucas () caltech edu> wrote:
If I'm reading this correctly, there has to be a malicious user at the
console of a logged in computer (or connected in some other
authenticated way). If I have a malicious user at my console logged in
as me, I've got more problems than web form passwords being revealed.
Am I reading this incorrectly?
No, you're right. Part of the point is that Safari is reading these
passwords from Keychain. And the whole point of Keychain is preventing
unauthorized programs from getting at the datastore. If a rogue
program asked for these passwords directly, then Keychain would
present a dialog alerting the user. But as the applescript shows, the
program can get Safari to essentially act on its behalf.