Older Versions of Safari Store Login Info in Plain Text - MacRumors
Skip to Content

Older Versions of Safari Store Login Info in Plain Text

by

Older versions of Safari for Mac store unencrypted user login credentials in a plain text file, according to security firm Kaspersky (via ZDNet). Safari saves the information in order to restore a previous browsing session, reopening all sites, even those that require authentication using the browser's "Reopen All Windows from Last Session" functionality.

safari_loophole_01

Plist file screenshot showing login credentials from Kaspersky

It turns out that Safari for Mac OS, like many other contemporary browsers, can restore the previous browsing session. In other words, all the sites that were open in the previous session – even those that required authorization – can be restored in a few simple steps when the browser is launched. Convenient? Of course. Safe? No, unfortunately.

Safari 6.0.5 for OS X 10.8.5 and 10.7.5 does not encrypt previous sessions, storing them instead in a standard LastSession.plist file that includes website usernames and passwords. Though the file is located in a hidden folder, it is still easily accessible and can be opened on any system.

Apple fixed this issue in Safari 6.1, which was released alongside OS X 10.9 Mavericks. Mac users running Mavericks or those who have installed the Safari 6.1 update for OS X 10.8 Mountain Lion or OS X 10.7 Lion will not be affected. This problem is limited to users running Safari 6.0.5 and can be remedied by upgrading to the latest software.

Top Rated Comments

john.jansen Avatar
john.jansen
163 months ago
Thats totally misleading, firstly there is no point in encrypting data which can be seen in the browser address bar when the previous session is restored. Secondly, those are url params, sent in plain text over the wire. The problem with the example shown is not at the browser end, its the site at the other end which uses url params for auth over http not https.

Storm in a teacup anyone?
Score: 22 Votes (Like | Disagree)
B
batchtaster
163 months ago
Has nobody looked at Firefox's Saved Passwords feature? Literally the only security is a button labeled "Show Passwords". And it's been that way for years.

Score: 11 Votes (Like | Disagree)
O
osx11
163 months ago
Sometimes it amazes me how simple things like this go unnoticed for so long.
Score: 8 Votes (Like | Disagree)
C
cantona1995
163 months ago
Has nobody looked at Firefox's Saved Passwords feature? Literally the only security is a button labeled "Show Passwords". And it's been that way for years.

Image (http://cdn2.brunocunha.com/blog/wp-content/uploads/2013/08/firefox-passwords.png)

But you need to enter the Master Password to see them and the file that contains the passwords on the filesystem has its contents encrypted so not the same at all
Score: 5 Votes (Like | Disagree)
iSee Avatar
iSee
163 months ago
Thats totally misleading, firstly there is no point in encrypting data which can be seen in the browser address bar when the previous session is restored. Secondly, those are url params, sent in plain text over the wire. The problem with the example shown is not at the browser end, its the site at the other end which uses url params for auth over http not https.

Storm in a teacup anyone?

BOOM! You just sunk Kaspersky's battle ship.
Score: 4 Votes (Like | Disagree)
rboerdijk Avatar
rboerdijk
163 months ago
<sarcasm on>
If the password is visible in plaintext, it means the NSA will catch more terrorists. So this is basically a good thing.
</sarcasm off>
Score: 4 Votes (Like | Disagree)
Read All Comments

Popular Stories

HomePod mini and Apple TV Sage

New Apple TV and HomePod Mini Are 'Nearly Ready' to Launch, New Siri Remote Also Rumored

Sunday May 31, 2026 8:47 am PDT by
New models of the Apple TV 4K and HomePod mini are "nearly ready to go," according to the latest word from Bloomberg's Mark Gurman. Subscribe to the MacRumors YouTube channel for more videos. Both devices have been ready "for months," but Apple is holding off on launching them until the more personalized version of Siri is available, he said. "I am told the hardware for the next Apple TV...
Read Full Article139 comments
Apple Wallet

iOS 27 Will Add Two New Apple Wallet Features to Your iPhone

Monday June 1, 2026 12:15 pm PDT by
Apple is set to unveil iOS 27 during its WWDC 2026 keynote on Monday, June 8, and the update will reportedly include two new Apple Wallet features. First, iOS 27 will reportedly let users create their own digital passes by scanning items like movie tickets, concert passes, and gym membership cards. Many apps already offer Apple Wallet passes, but now users will be able to create a custom...
Read Full Article
Apple Foldable Thumb

First 'Confirmed' iPhone Ultra Color Allegedly Revealed in Leaked Image

Monday June 1, 2026 4:39 am PDT by
Apple is expected to launch its first foldable iPhone later this year. Rumors suggest the "iPhone Ultra" will come in two color options, and a leaker shared an image today that allegedly shows one of them. Posted on Weibo by the Chinese leaker known as Ice Universe, the image purportedly offers a first glimpse of Apple's foldable in white. The device is believed to have entered early mass...
Read Full Article98 comments