Older versions of Safari for Mac store unencrypted user login credentials in a plain text file, according to security firm Kaspersky (via ZDNet). Safari saves the information in order to restore a previous browsing session, reopening all sites, even those that require authentication using the browser's "Reopen All Windows from Last Session" functionality.

safari_loophole_01

Plist file screenshot showing login credentials from Kaspersky

It turns out that Safari for Mac OS, like many other contemporary browsers, can restore the previous browsing session. In other words, all the sites that were open in the previous session – even those that required authorization – can be restored in a few simple steps when the browser is launched. Convenient? Of course. Safe? No, unfortunately.

Safari 6.0.5 for OS X 10.8.5 and 10.7.5 does not encrypt previous sessions, storing them instead in a standard LastSession.plist file that includes website usernames and passwords. Though the file is located in a hidden folder, it is still easily accessible and can be opened on any system.

Apple fixed this issue in Safari 6.1, which was released alongside OS X 10.9 Mavericks. Mac users running Mavericks or those who have installed the Safari 6.1 update for OS X 10.8 Mountain Lion or OS X 10.7 Lion will not be affected. This problem is limited to users running Safari 6.0.5 and can be remedied by upgrading to the latest software.

Top Rated Comments

john.jansen Avatar
104 months ago
Thats totally misleading, firstly there is no point in encrypting data which can be seen in the browser address bar when the previous session is restored. Secondly, those are url params, sent in plain text over the wire. The problem with the example shown is not at the browser end, its the site at the other end which uses url params for auth over http not https.

Storm in a teacup anyone?
Score: 22 Votes (Like | Disagree)
batchtaster Avatar
104 months ago
Has nobody looked at Firefox's Saved Passwords feature? Literally the only security is a button labeled "Show Passwords". And it's been that way for years.

Score: 11 Votes (Like | Disagree)
osx11 Avatar
104 months ago
Sometimes it amazes me how simple things like this go unnoticed for so long.
Score: 8 Votes (Like | Disagree)
cantona1995 Avatar
104 months ago
Has nobody looked at Firefox's Saved Passwords feature? Literally the only security is a button labeled "Show Passwords". And it's been that way for years.

Image (http://cdn2.brunocunha.com/blog/wp-content/uploads/2013/08/firefox-passwords.png)

But you need to enter the Master Password to see them and the file that contains the passwords on the filesystem has its contents encrypted so not the same at all
Score: 5 Votes (Like | Disagree)
iSee Avatar
104 months ago
Thats totally misleading, firstly there is no point in encrypting data which can be seen in the browser address bar when the previous session is restored. Secondly, those are url params, sent in plain text over the wire. The problem with the example shown is not at the browser end, its the site at the other end which uses url params for auth over http not https.

Storm in a teacup anyone?

BOOM! You just sunk Kaspersky's battle ship.
Score: 4 Votes (Like | Disagree)
rboerdijk Avatar
104 months ago
<sarcasm on>
If the password is visible in plaintext, it means the NSA will catch more terrorists. So this is basically a good thing.
</sarcasm off>
Score: 4 Votes (Like | Disagree)

Popular Stories

macbook pro 13 inch banner

Apple Planning Five New Macs for 2022, Including Entry-Level MacBook Pro Refresh

Sunday December 5, 2021 7:55 am PST by
Apple is working on five new Macs for launch in 2022, including a new version of the entry-level MacBook Pro, according to Bloomberg's Mark Gurman. In the latest edition of his "Power On" newsletter, Gurman said that he expects Apple to launch five new Macs in 2022, including: A high-end iMac with Apple silicon to sit above the 24-inch iMac in the lineup A significant MacBook Air...
apple watch series 7 aluminum colors

2022 Apple Watch Lineup Rumored to Include New Apple Watch SE and 'Rugged' Model for Sports

Sunday December 5, 2021 8:22 am PST by
Apple is planning an entire revamp of its Apple Watch lineup for 2022, including an update to the Apple Watch SE and a new Apple Watch with a rugged design aimed at sports athletes, according to respected Bloomberg journalist Mark Gurman. Writing in the latest installment of his Power On newsletter, Gurman said that for 2022, alongside the Apple Watch Series 8, Apple is planning an update to ...
airtag in hand

Apple AirTag Linked to Increasing Number of Car Thefts, Canadian Police Report

Friday December 3, 2021 7:10 am PST by
Apple's AirTags are being used in an increasing number of targeted car thefts in Canada, according to local police. Outlined in a news release from York Regional Police, investigators have identified a new method being used by thieves to track down and steal high-end vehicles that takes advantage of the AirTag's location tracking capabilities. While the method of stealing the cars is largely ...
1x 1

Apple CEO Tim Cook 'Secretly' Signed $275 Billion Deal With China in 2016

Tuesday December 7, 2021 6:49 am PST by
Apple CEO Tim Cook "secretly" signed an agreement worth more than $275 billion with Chinese officials, promising that Apple would help to develop China's economy and technological capabilities, The Information reports. In an extensive paywalled report based on interviews and purported internal Apple documents, The Information revealed that Tim Cook personally forged a five-year agreement...
ipad air arrive feature

iPad Pro With Wireless Charging, iPad Air 5, and iPad 10 Reported to Debut in 2022

Sunday December 5, 2021 8:54 am PST by
Apple is preparing to update three of its iPad models in 2022, including the entry-level iPad, iPad Air, and iPad Pro, according to Bloomberg's Mark Gurman. In his latest "Power On" newsletter, Gurman reiterated Apple's plans to release a new iPad Pro in 2022, featuring a new design and wireless charging, and clarified the company's intention to release new versions of the entry-level iPad...
2021 MBP SD Card Error Feature

Some SD Cards Not Working Properly With 2021 14 and 16-Inch MacBook Pros

Monday December 6, 2021 2:02 pm PST by
The SD card reader slot on the new 14 and 16-inch MacBook Pro models is not functioning as expected with some SD cards, according to multiple reports on the MacRumors forums. In a long complaint thread, MacRumors readers have detailed the issues that they're having with some SD cards, and there seems to be little consistency between reports and affected SD cards. Some SD cards crash and...
airpods pro blue holiday 3

Deals: AirPods Pro With MagSafe Available for $169.99 and Christmas Delivery on Amazon ($79 Off) [Update: Expired]

Monday December 6, 2021 6:03 am PST by
Amazon today has Apple's AirPods Pro with MagSafe Charging Case for $169.99 and delivery before Christmas Day, down from an original price of $249.00. This is $10 off from the rock bottom $159.99 price tag we tracked on Black Friday and Cyber Monday, and still a great deal for anyone shopping this holiday season. Note: MacRumors is an affiliate partner with Amazon. When you click a link and...
life360 app

Tile Buyer Life360 Selling Precise Location Data on Millions of Users

Monday December 6, 2021 1:05 pm PST by
Location tracking service Life360 has been selling the precise location data of tens of millions of its users, according to a new report shared by The Markup. Life360 bills itself as a "family safety platform" app that is meant to allow family members to keep tabs on one another with tracking software that's installed on smartphones, and there are both Android and iPhone apps. The...