Old Apple Safari browsers retain easily accessible IDs and passwords

sincity · December 17, 2013

Kaspersky Labs has discovered a flaw in Apple's Safari browser that lists user IDs and passwords in plaintext, according to a blog post made on the company's Securelist website.

The problem appears to derive from Safari's retention of browser history in the 'Reopen All Windows from Last Session' feature, which lets users quickly revisit the sites that they had been browsing in a previous online session. Most browsers have this feature and, though convenient, it isn't entirely safe.

Kaspersky has found that the document Safari creates to allow the restoration to occur is in plaintext format. The plaintext also contains whatever IDs and passwords may have been in use during the previous Safari session. The file is hidden, but isn't hard to find for something who knows what they are looking for.

Mauled on Safari

As the post states: "You can just imagine what would happen if cybercriminals or a malicious program got access to the LastSession.plist file on a system where the user logs into Facebook, Twitter, LinkedIn or their online bank account." It then adds: "As far as we are concerned, storing unencrypted confidential information with unrestricted access is a major security risk."

The security company has pointed the problem out to Apple, and also says that it is not aware of any malware that might be targeting the flaw. The blog post has been online since Friday, however, so there can be no certainty that malware-writers have not noticed and begun their work.

Apple's official security feed has been silent on the matter, but any form of panic would be immature: Kaspersky says the problem only affects OSX10.8.5 running Safari 6.0.5 and OSX 10.7.5 with Safari 6.0.5. Still, even if a small percentage of users can be affected, it would be imperative for Apple to fix the issue.