Slashdot Mirror
Safari Security Hole Allows Cookie Theft
An anonymous reader writes "MacSlash posted a story about a vulnerability in Safari. The exploit allows someone to steal any of your domain-based cookies (passwords, private info, etc.) from any website. Mozilla and Internet Explorer had the same bug in the past."
Might the Konqueror browser be affected by this?
The real problem seems to be using a programming language that uses null termination. When you allow "commands" and data to intermingle so closely you are inviting trouble.
Well... your Slasdot login is (hashed but stealable) in a cookie right now.
Perhaps that doesn't qualify as "serious", but don't come crying to me when your karma bottoms out after "you" post 500 goatse trolls in a row.Safari 1.1.1 (v100.1)
Still see my ebay cookies.
Maybe you cleared your cookie cache or have accepting them turned off?
You're just jealous because the voices only talk to me.
Does this affect the CURRENT version of Safari, v=1.1.1? I don't think so since I tried the http://alive.znep.com/~marcs/security/mozillacooki e/demo.html, link and it didn't send anything back.
Heh, aren't brownies the more traditional medium?
Anyway, my post did have the caveat that I did NOT review slashcode before posting.... Honestly, though, slashdot seems to be designed so that you can have as much security as you want, even if that cookie has a hash of sensitive data instead of a temporary session id.
You can control whether your login (held in the cookie) lasts for the browser session only, vs. a whole year. You can also manually logout whenever you want (again, deletes the cookie).
If you do either of those (and don't visit possible cracker-owned sites while you're logged in) you are perfectly safe, since the hacker won't ever be able to see the slashdot cookie.
[I'm assuming that's a hash of the username AND password -- if it's only the username, that's insecure, since the cracker could just figure out the hash algorithm and make cookies from whatever username they wanted.]
Slashdot is unusual in that we have that option (because Taco figures we'll understand it, I guess). In general, sites decide this for you, and don't allow "eternal login" if there's sensitive data at risk -- at most they will save your login name for you (but not the password).
See? No goatse.
There are only 10 types of people: those who understand decimal, those who don't, and, uh, 8 other types I forget.
no it is not already patched. I am running Safari 1.1.1 (v100.1), and the insecure website's proof-of-concept DOES show me ALL cookie stored in the .ebay.com domain.
Extraordinary Vacations. Exceptional Prices
I'm not vulnerable because Squid catches the URL and says 'NO! Bad!'. Using a proxy means the whole URL gets passed to the proxy, creating an error page.
Still, irritating bug.
--sitharus
I was bit dubious at first, but the patch includes source code. I did install the supplied binary, though...
What I'm really surprised about however is the fact that a) a third-party developer can fix a problem like this at all, and how easily the fix can be hooked into Safari. It appears that this OpenStep/Cocoa framework stuff is really flexible...
Oh and yes, it does work!