Skip to content ↓ | Skip to navigation ↓

Researchers at Kaspersky Lab have identified a flaw in the Safari browser that can allow an attacker to restore a users’ previous browsing session and expose login credentials.

“Safari… doesn’t encrypt previous sessions and stores them in a standard plist file that is freely accessible. As a result, it’s easy to find a user’s login credentials,” wrote Vyacheslav Zakorzhevsky. “It’s pretty clear that the login and password are not encrypted (see the red oval in the screenshot).”

pic

Zakorzhevsky goes on to explain that the complete authorized session is saved in the plist file in plain text regardless of whether the session was conducted with https, as the file is located in a hidden folder but available for anyone to access.

“The system can easily open a plist file. It stores information about the saved session – including http requests encrypted using a simple Base64 encoding algorithm – in a structured format,” Zakorzhevsky wrote.

“There is a function in Safari – ‘Reopen All Windows from Last Session’ – that allows sites to be opened exactly as they were at the end of the previous session. This is the function that uses LastSession.plist.”

The “Reopen All Windows from Last Session” function is available on several versions of Mac OS X and Safari, including OSX10.7.5, Safari 6.0.5 and OSX10.8.5, Safari 6.0.5.

“As far as we are concerned, storing unencrypted confidential information with unrestricted access is a major security flaw that gives malicious users the opportunity to steal user data with a minimum of effort. We have informed Apple about the problem,” Zakorzhevsky said.

Read More Here…