Safari Security Hole Allows Cookie Theft

An anonymous reader writes "MacSlash posted a story about a vulnerability in Safari. The exploit allows someone to steal any of your domain-based cookies (passwords, private info, etc.) from any website. Mozilla and Internet Explorer had the same bug in the past."

Cookie Theft

[dpdawson]

Marc Slemko: Apple stole the cookie from the cookie jar.

Apple: Who me?

Marc Slemko: Yes, you.

Apple: Couldn't be.

Marc Slemko: Then who?

Re:I wonder.

[Ianoo]

Potentially, but I doubt it. The two browsers share a rendering engine, not much else. Cookies are purely a protocol issue, they add extra data when doing a GET/POST request on a web page. Nothing whatsoever to do with HTML rendering.

Potentially a bug could exist in the Javascript engine, and since Javascript can access cookies, and they could be stolen this way. However this particular bug doesn't appear to be JS-related, rather it's something more fundamental (but easily fixed by Apple, hopefully).

Since Konqueror uses KDE/QT's socket classes, whilst Safari uses the Carbon/Darwin sockets interface, it's unlikely the bug would rear it's head in Konqueror IMHO.

Doesn't affect me?

I am trying the "test" and all I get is:


Please wait while loading the script

You are stuck on this page ?
It means that your browser is not vulnerable, sorry, or maybe, not so
sorry, it's how the things should be !!!.
You can press the back button now :)


I am running Safari 1.1.1 (v100.1). Could it be because
of This Hint?

Fix it, but... what's the fuss?

[jtheory]

The exploit allows someone to steal any of your domain-based cookies (passwords, private info, etc.) from any website.

Any security hole should be fixed, but this is not as serious as they make it sound.

Passwords? Private info? What serious web developer would be keeps these in a cookie? Cookies are not secure. They are stored unencrypted on the user's hard drive (where they are easily rifled through), and (as mentioned) there have been plenty of bugs in the past that have made their data accessible to John Q. Hacker.

Cookies are mostly used for storing session ids, or another meaningless number that links back to the real info stored in a database on the server (yes, you don't want a hacker reading your session id, but this is a much lower risk).

This is not just for security reasons -- it's because cookies are not reliable. Cookies get wiped out all the time (all browsers that I know of let you delete them, and I see lots of ads for software that offers to manage, delete, filter, or "clean them up" for me.

Also, cookie size is limited (and does this differ on the diff browsers? I know GET request size does), so you could screw yourself over if you were storing a user's personal info and their address was really long.

Why would you store username/password data in a cookie anyway? Most browsers do this for you now, *and* they are more secure about it. Hm.

These are the best practices I was taught, at any rate. I didn't checked slashcode before posting this... and I suppose it is true that best practices are not always followed.

Does anyone have a real sense of how often sensitive data is stored unencrypted in a cookie?

Re:Fix it, but... what's the fuss?

[Taran]

If the web app allows you to edit your information once you've aquired an authorized session, then stealing that authorized session could allow someone to hijack your information and/or your identity with that web app/company.

Re:That's not the biggest Safari bug

This isn't a Safari bug, this is how your OS deals with virtual memory.

Look in /var/vm

And you will see... swapfile1, swapfile2... etc. The OS creates these as needed.

Now for the OS to recover swap space, there has no be no pages addressed to a swap file. When you run Safari what gets paged out to disk? Not safari, but all the other applications you are running. Therefore, quitting Safari does nothing. The OS won't page in the swap unless you need access to that page of memory.