Got a tip for us? Share it...

Older Versions of Safari Store Login Info in Plain Text

Older versions of Safari for Mac store unencrypted user login credentials in a plain text file, according to security firm Kaspersky (via ZDNet). Safari saves the information in order to restore a previous browsing session, reopening all sites, even those that require authentication using the browser's "Reopen All Windows from Last Session" functionality.

safari_loophole_01
Plist file screenshot showing login credentials from Kaspersky
It turns out that Safari for Mac OS, like many other contemporary browsers, can restore the previous browsing session. In other words, all the sites that were open in the previous session – even those that required authorization – can be restored in a few simple steps when the browser is launched. Convenient? Of course. Safe? No, unfortunately.
Safari 6.0.5 for OS X 10.8.5 and 10.7.5 does not encrypt previous sessions, storing them instead in a standard LastSession.plist file that includes website usernames and passwords. Though the file is located in a hidden folder, it is still easily accessible and can be opened on any system.

Apple fixed this issue in Safari 6.1, which was released alongside OS X 10.9 Mavericks. Mac users running Mavericks or those who have installed the Safari 6.1 update for OS X 10.8 Mountain Lion or OS X 10.7 Lion will not be affected. This problem is limited to users running Safari 6.0.5 and can be remedied by upgrading to the latest software.

Top Rated Comments

(View all)

10 months ago
Thats totally misleading, firstly there is no point in encrypting data which can be seen in the browser address bar when the previous session is restored. Secondly, those are url params, sent in plain text over the wire. The problem with the example shown is not at the browser end, its the site at the other end which uses url params for auth over http not https.

Storm in a teacup anyone?
Rating: 22 Votes
10 months ago
Has nobody looked at Firefox's Saved Passwords feature? Literally the only security is a button labeled "Show Passwords". And it's been that way for years.

Rating: 11 Votes
10 months ago
Sometimes it amazes me how simple things like this go unnoticed for so long.
Rating: 8 Votes
10 months ago

Has nobody looked at Firefox's Saved Passwords feature? Literally the only security is a button labeled "Show Passwords". And it's been that way for years.

Image (http://cdn2.brunocunha.com/blog/wp-content/uploads/2013/08/firefox-passwords.png)


But you need to enter the Master Password to see them and the file that contains the passwords on the filesystem has its contents encrypted so not the same at all
Rating: 5 Votes
10 months ago

Has nobody looked at Firefox's Saved Passwords feature? Literally the only security is a button labeled "Show Passwords". And it's been that way for years.

Image (http://cdn2.brunocunha.com/blog/wp-content/uploads/2013/08/firefox-passwords.png)


Whether or not people have realized this, Apple's the bad guy we're supposed to criticize every move from, remember? /sarcasm
Rating: 4 Votes
10 months ago

Next: Your iCloud Keychain can be accessed in plain text by anyone anywhere.

The point is: the only place any information is safe is in your HEAD.


NOTHING is safe in my head. It is a scary place. :D
Rating: 4 Votes
10 months ago

Thats totally misleading, firstly there is no point in encrypting data which can be seen in the browser address bar when the previous session is restored. Secondly, those are url params, sent in plain text over the wire. The problem with the example shown is not at the browser end, its the site at the other end which uses url params for auth over http not https.

Storm in a teacup anyone?


BOOM! You just sunk Kaspersky's battle ship.
Rating: 4 Votes
10 months ago
If the password is visible in plaintext, it means the NSA will catch more terrorists. So this is basically a good thing.
Rating: 4 Votes
10 months ago
Is it just me, or is that password encoded in the URL itself?

That's risking security breaches like mad if true, Safari or not.

"Oh hai, I found your password in your browser history. And hey, here I saw it once again when the address bar autocompleted your URL and I was sitting next to you!" (I'm probably missing a lot of completely different scenarios)

I think it is a bit much to expect Safari to encode the URL info itself. That one should never contain sensitive info.

----------

Thats totally misleading, firstly there is no point in encrypting data which can be seen in the browser address bar when the previous session is restored. Secondly, those are url params, sent in plain text over the wire. The problem with the example shown is not at the browser end, its the site at the other end which uses url params for auth over http not https.

Storm in a teacup anyone?

Yeah, this is completely insecure anyway. I had even missed that it used http and not even https, so yes, it's sent in cleartext on all browsers over the wire.
Rating: 3 Votes
10 months ago

But you need to enter the Master Password to see them and the file that contains the passwords on the filesystem has its contents encrypted so not the same at all


Maybe they meant in Google Chrome, because in Chrome you don't need to enter any password whatsoever. Someone on your computer (just using it for a few seconds even), can open Chrome, go to preferences, select "Advanced Settings" at the bottom, select "Manage saved passwords", then "Show password"! No password entry required to show the password in plain text! At least the Mac OS X Keychains are locked with the login password by default.

As for this supposed "security issue" with old versions of Safari, it seems a moot point to encrypt this data from the last session if the user/pass is in plain text in the URL itself. That's the website's security hole, not Safari's.
Rating: 3 Votes

[ Read All Comments ]