Safari Stores Previous Browsing Session Data Unencrypted

← Back to Stories (view on slashdot.org)

Safari Stores Previous Browsing Session Data Unencrypted

Posted by Soulskill on Friday December 13, 2013 @08:22AM from the security-through-obscurity dept.

msm1267 writes "Users of Apple's Safari browser are at risk for information loss because of a feature common to most browsers that restores previous sessions. The problem with Safari is that it stores session information including authentication credentials used in previous HTTPS sessions in a plaintext XML file called a Property list, or plist, file. The plist files, a researcher with Kaspersky Lab's Global Research and Analysis Team said, are stored in a hidden folder, but hiding them in plain sight isn't much of a hurdle for a determined attacker. 'The complete authorized session on the site is saved in the plist file in full view despite the use of https,' said researcher Vyacheslav Zakorzhevsky on the Securelist blog. 'The file itself is located in a hidden folder, but is available for anyone to read.'"

135 comments

Min score:

Reason:

Sort:

Local file by Anonymous Coward · 2013-12-13 08:28 · Score: 5, Informative

If someone else is reading files on your computer, you're already screwed!
1. Re:Local file by Anonymous Coward · 2013-12-13 08:32 · Score: 5, Insightful
  
  And here we go again: someone claims that "if something is not completely perfect, it's completely useless".
  Look, even if someone gets local access to your files, you are still less fucked if some of them are encrypted.
2. Re:Local file by Anonymous Coward · 2013-12-13 08:34 · Score: 2, Insightful
  
  Physical access = surfing history is the least of your problems.
3. Re:Local file by Anonymous Coward · 2013-12-13 08:35 · Score: 1
  
  Ahem. What about when you're "shopping for presents" on a shared computer, and you don't want the other users to know about which "presents" you were looking at?
4. Re:Local file by Anonymous Coward · 2013-12-13 08:37 · Score: 0
  
  No if someone else is writing and executing files on your computer your screwed (especially with root access) having read access, while undesirable, shouldn't reveal any of your passwords.
5. Re:Local file by Anonymous Coward · 2013-12-13 08:59 · Score: 2, Informative
  
  If that's the threat you're concerned with, why not encrypt your sensitive files yourself instead of expecting your browser to encrypt one of your sensitive things?
6. Re:Local file by g0bshiTe · 2013-12-13 09:04 · Score: 1
  
  From the link submitted with the summary
  
  You can just imagine what would happen if cybercriminals or a malicious program got access to the LastSession.plist file on a system where the user logs in to Facebook, Twitter, LinkedIn or their online bank account.
  I'd consider that to be a goatse sized hole.
  
  --
  I am Bennett Haselton! I am Bennett Haselton!
7. Re:Local file by Anonymous Coward · 2013-12-13 09:29 · Score: 0
  
  Sigh, this is what happens when you give Unix to Mac users.
  Unix is a multi-user system. If someone else is reading files on your computer then that'll be because the files have group/world read permission set. And if software is setting that bit for private user data, the software is at fault.
8. Re:Local file by arth1 · 2013-12-13 09:32 · Score: 1
  
  If someone else is reading files on your computer, you're already screwed!
  Many of us here grew up with multiuser systems, and don't see what the problem is with that.
9. Re:Local file by Anonymous Coward · 2013-12-13 09:38 · Score: 2, Insightful
  
  Defense in depth. Is that really so hard for people to understand?
10. Re:Local file by BasilBrush · 2013-12-13 09:55 · Score: 2
  
  Right, and the multi-user element of OSX will prevent other users from reading this file.
11. Re:Local file by rsborg · 2013-12-13 09:59 · Score: 1
  
  If someone else is reading files on your computer, you're already screwed!
  This has issues for backups as well - you may have been very good at prevent physical/console access to your computer, but if someone gets an old backup that happens to be unencrypted, your secure browsing history is now exposed.
  Your entire premise is an argument against defense-in-depth multilayered security policy. I'd go with the expert-guided policy against your pithy analysis.
  
  --
  Make sure everyone's vote counts: Verified Voting
12. Re:Local file by Anonymous Coward · 2013-12-13 10:04 · Score: 2, Informative
  
  I don't expect a browser to litter my filesystem with unencrypted sensitive data for no good reason. And if they are hidden, there should be no expectation that users manage them.
13. Re:Local file by sl4shd0rk · 2013-12-13 10:08 · Score: 1
  
  "if something is not completely perfect, it's completely useless".
  You are trying to apply a paradigm reserved for baked goods to computer security; Half baked cookies aren't so bad. Half baked security (plaintext) is indeed useless.
  
  --
  Join the Slashcott! Feb 10 thru Feb 17!
14. Re:Local file by Anubis+IV · 2013-12-13 10:12 · Score: 5, Informative
  
  Quite true, but it's worth pointing out that the summary (and articles) conveniently left out the fact that this information has been encrypted for months; the issue was addressed by a Safari update that came out with Mavericks and was made available for older versions of the OS.
  In fact, the issue is specific to an outdated version of Safari (v6.0.5) that only runs on outdated versions of OS X (10.7 Lion and 10.8 Mountain Lion). Anyone who installed the free OS X 10.9 Mavericks update that came out back in October is fine, since it came with Safari 6.1, which fixed the issue. For those users who stuck with 10.7 or 10.8, OS X's built-in Software Update feature runs once a week by default, so most of them have been getting prompts since October to do a one-click upgrade that would address this issue, since Safari 6.1 is available to all of them as well.
  Long story short, this is a non-issue that affects a trivial portion of the Mac user base, since updates were issued months ago and the systems are configured such that the fix would be widely applied by default. Even so, we can agree that if you compromise physical access, you've compromised the system.
15. Re:Local file by Anonymous Coward · 2013-12-13 10:14 · Score: 1
  
  Yes, we should all have computer science phd and be aware of all of the files that thirdparty programs use on our machine and preemptively encrypt it. Each layman should be extremely smarter than most determined hacker. Is that too hard?
16. Re:Local file by Anonymous Coward · 2013-12-13 10:17 · Score: 0
  
  I give my computer to guests for few min here and there. I can check physically that he/she is not putting usb drive and doing mass copy etc. But certainly cannot check if he/she opens a file for few sec. If it only takes a casual physical access for few sec to get your bank passwd, then you are screwed and if you don't understand this simple thing, you are better off AC. Oh, wait. you are AC.
17. Re:Local file by LordLimecat · 2013-12-13 10:19 · Score: 1
  
  Presumably said plist file is stored in the user's profile, where on any current OS that would mean that noone other than a superuser or the user themselves could access it.
18. Re:Local file by LordLimecat · 2013-12-13 10:20 · Score: 1
  
  If you include the encryption key with the backup, it doesnt matter either way. If you dont, its not a terribly useful backup.
19. Re:Local file by multimediavt · 2013-12-13 10:20 · Score: 1
  
  And here we go again: someone claims that "if something is not completely perfect, it's completely useless".
  Look, even if someone gets local access to your files, you are still less fucked if some of them are encrypted.
  True, but that "less" would be about 0.0001% less fucked. Fucked is fucked. There really isn't a partial to it when it comes to data security. That one pretty much is a "is" or "isn't". Local access to files is a lot more fucked than one unencrypted file. About 1,000,000% more fucked.
20. Re:Local file by Bert64 · 2013-12-13 10:34 · Score: 3, Insightful
  
  Which means you need to enter your key every time you start the browser...
  If the browser has a way of automatically knowing the decryption key, then so does a hacker.
  Also, previous session data should be useless - the sessions should have expired, or been closed when you logged out. Most sites that offer the option to stay logged in warn you against doing so on a system you don't trust.
  And i'm pretty sure other browsers don't store persistent cookies very securely either, they used to be in a plain text file and they can certainly be viewed/user from within most browsers without having to ever supply a decryption key.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
21. Re:Local file by retroworks · 2013-12-13 10:46 · Score: 1
  
  "Fucked is fucked. There really isn't a partial to it when it comes to data security."
  Not really? The value of the data and the value of the target dictate the depth of the necessary encryption. I see the extent people go to in order to destroy a 1993 486X hard drive, as if someone is going to ever take the time to boot it up to retrieve their data. The article contributes necessary information, that I can browse news stories on my Safari browser, but I should hesitate to log into my bank account. Too many people are seeking complete invisibility of everything, when it's really only important to hide the juicy bits. We don't need to be afraid of every single spider, just the black widows and brown recluses.
  
  --
  Gently reply
22. Re:Local file by Anonymous Coward · 2013-12-13 10:50 · Score: 0
  
  The original article *does* say it applies to 6.0.5 on OS X 10.8 and 10.7, and how they "informed Apple about the issue"
  My guess would be they wrote it on Oct 13 and put it in the blog's queue to publish after 3 months to give Apple time to react, and then forgot to edit or delete it, as it sounds pretty silly to "inform Apple" about the problem that's explicitly fixed in a long since released security update.
23. Re:Local file by Anonymous Coward · 2013-12-13 11:14 · Score: 0
  
  Why can the guest account on your computer access your own user files?
24. Re:Local file by Anonymous Coward · 2013-12-13 12:15 · Score: 0
  
  Because hate for Apple is nearly unlimited.
25. Re:Local file by Anonymous Coward · 2013-12-13 13:32 · Score: 0
  
  Except for all of those people for whom 10.6 is the last OS X release that's permitted to be installed on their hardware. I have a Core 1 Duo stuffed with RAM that's perfectly usable still; it may end up running Linux before too long (and gaining an additional 7-10 years of life over the Apple-supported software).
26. Re:Local file by Anonymous Coward · 2013-12-13 13:40 · Score: 0
  
  I'm the AC you're replying to. I'm also a Mac developer so I know you need Dev Tools installed to get the Property List Editor, and in Mac OS X 10.4 and later, plist files are often in binary format (this includes Safari) so any old text editor isn't going to get the job done.
  So let me explain a few "simple things you don't understand": security starts with YOU. You are responsible for the security of your systems. Period. No excuses.
  - saving your bank username and password in ANY browser is just lazy and stupid.
  - in general, saving passwords in your browser isn't a good idea (Firefox stores them in plain text FFS!)
  - giving anyone physical access to your system while you are logged in is as insecure as you can be.
  - if you think you can always spot a USB drive then you've never learned 'slight of hand'.
  - if you think that the person you are willingly and knowingly handing your computer to - while you are logged AND logged into your bank no less - can quit Safari, find this plist file, figure out which entry is your banking session, memorize all of the auth token information, and close the file so fast that you with your eagle eyes and superior intellect can't see it happen, then maybe, just maybe you shouldn't be handing them your computer.
  Don't take your security training wheels off just yet. We don't want you to hurt yourself.
27. Re:Local file by daveime · 2013-12-13 14:54 · Score: 1
  
  > Look, even if someone gets local access to your files, you are still less fucked if some of them are encrypted.
  
  Which is total bollocks if the encryption key is on the same machine. A computer that is rooted is no longer secure, any data that can be decrypted locally is the same as if it was plaintext anyway.
28. Re:Local file by Anonymous Coward · 2013-12-13 15:34 · Score: 0
  
  I'm the AC you're replying to. I'm also a Mac developer so I know you need Dev Tools installed to get the Property List Editor, and in Mac OS X 10.4 and later, plist files are often in binary format (this includes Safari) so any old text editor isn't going to get the job done.
  Terminal and /usr/bin/defaults are included in a standard install
29. Re:Local file by Anonymous Coward · 2013-12-13 15:39 · Score: 1
  
  In a word: cobblers.
  Encryption might not prevent a determined hacker from stealing someone's session cookies, but it would ward off an opportunistic "Say, that person forgot to lock their workstation when they stepped away for coffee" type attack.
  I assume you don't lock your home's door either. After all, a determined housebreaker can just break the window and enter that way so it's not perfect security, and imperfect security is no security. Indeed, given that, it might be better to just leave all those doors and windows open, less damage that way. ;-)
30. Re:Local file by gagol · 2013-12-13 16:33 · Score: 1
  
  I am much more concerned with my tax reports than browser history. I dont care fuck all if someone knows that I had slashdot, arstechnica and newscientist opened last session. If you browse porn sites in a non anonymous session, you do it wrong.
  
  --
  Tomorrow is another day...
31. Re:Local file by Anubis+IV · 2013-12-13 16:45 · Score: 1
  
  Safari 6 is not and has never been available for OS X 10.6, so those users don't face this issue. That's why I restricted my comments to 10.7-10.9.
32. Re:Local file by Anonymous Coward · 2013-12-13 16:50 · Score: 0
  
  My god, talk to your local psychiatrist, you ARE paranoiac, in the clinical sense. Get help now and god bless you.
33. Re:Local file by Anubis+IV · 2013-12-13 17:01 · Score: 1
  
  The original article *does* say it applies to 6.0.5 on OS X 10.8 and 10.7, and how they "informed Apple about the issue"
  Mentioning it's a problem with 6.0.5 is fine (and I never said that they didn't). My problem with the reporting in both articles and the summary is that it's not made clear that 6.0.5 is an outdated version (all of the verbiage paints it as an issue affecting the latest version), nor is it made clear to users that they can solve this issue by simply applying a software update that's been available for nearly two months. That's a disservice to their readers, who may be affected by the issue, since they're not telling them how to fix it, and it's a disservice to Apple, since they're implying that the issue hasn't been fixed, when it has.
  Your idea about setting a future publication date and then forgetting not to publish it makes a lot of sense, but they've had plenty of time to take it down, retract it, or post an update/edit to it to point users towards the fix or inform people that the information in their report may be outdated, yet they've done none of those. Even worse, the second article is now linking to Slashdot's coverage of the topic in order to reinforce that this is a serious issue.
34. Re:Local file by viperidaenz · 2013-12-13 17:11 · Score: 1
  
  So when someone "just needs to send an email" there is no possibility they attach your plist file to the email they're sending, it's not like it is always stored in the same folder with the same name they can just type in to the file browser dialog... oh wait...
35. Re:Local file by vlueboy · 2013-12-13 17:21 · Score: 1
  
  In fact, the issue is specific to an outdated version of Safari (v6.0.5) that only runs on outdated versions of OS X (10.7 Lion and 10.8 Mountain Lion). Anyone who installed the free OS X 10.9 Mavericks update that came out back in October is fine, since it came with Safari 6.1, which fixed the issue.
  Here is a little known technicalities about version-itis: Back in the days of IE6 on Windows, the powers that be decided that IE5 would be the last version of the browser on Macs. Likely they didn't feel like supporting [and putting up with APIs from] the competition. *
  Safari 5 for Windows is following in the same steps. It's two years out of date, behind Safari 7. Yet iTunes bugs Windows users with the latest revenue-increasing upgrades despite the platform gap. The official Safari 5 for Windows binaries were relegated to cumbersome search item out of dozens of others in the support subdomain with no apologies or even footnotes.
  I have little sympathy for Apple's short support cycles starting with their iMac-era financial rebirth. iOS OTA updates seem to be the exception rather than norm.
  * At some point around 2005 or so, the IE5-for mac download site at Microsoft stopped linking the software, actually encouraging users to get alternative browsers. Moment of silence for the likes of iCab, Netscape and Camino, whose names we used to respect but have forgotten in the wake of Webkit^W safari, Opera, Firefox and eventually Chrome.
36. Re: Local file by Anonymous Coward · 2013-12-13 22:23 · Score: 0
  
  It would have to have re-useable (as in not expired) session authentication data in it from the last time you used Safari.
  They have to be familiar with Macs to be able to access this file location since you can't get at it from any 'Open' or 'Attachments' dialog. But ...
  They can't access it if you don't use the 'resume' feature.
  They can't access it if they are not logged in as you.
  They can't mail it if they can't access it.
  How hard is that to understand?
37. Re:Local file by AmiMoJo · 2013-12-14 00:50 · Score: 1
  
  Firefox can require the key to be typed in when you start it. Most operating systems provide some kind of secure key storage tied yo the binary.
  The main problem with the way Safari does it is that anyone else with admin rights can get access. Typically Mac and Windows users all know the admin password because it is required often and they don't really understand the security implications of sharing it. Malware could also steal the data, including secure sessions like accessing web mail.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
38. Re:Local file by Anonymous Coward · 2013-12-14 00:51 · Score: 0
  
  If you browse porn sites in a non anonymous session, you do it wrong.
  The sites can give you pretty good recommendations if you don't: "you liked these videos, we think you might like...."
39. Re:Local file by teg · 2013-12-14 00:59 · Score: 1
  
  If you include the encryption key with the backup, it doesnt matter either way. If you dont, its not a terribly useful backup.
  Apple's Time Machine can use full disk encryption. You need a password/passphrase to be able to read from the disk later, which is rather useful. If someone steals my iMac and my onsite backup, they can not access any data - the system, as well as the backup, are both encrypted.
40. Re:Local file by cellocgw · 2013-12-14 01:38 · Score: 1
  
  I dont care fuck all if someone knows that I had slashdot, arstechnica and newscientist opened last session.
  You're missing the point. It's not hard to allow the browser to store your login credentials for webmail pages, your amazon account, etc. And as we all (should) know, if someone can get your email, they can set up a bunch of "forgot my password" requests at all your pseudosecure (bank website) places, retrieve the password reset emails, and off your money goes.
  
  --
  https://app.box.com/WitthoftResume Code: https://github.com/cellocgw
41. Re:Local file by Mojo66 · 2013-12-14 02:06 · Score: 1
  
  Firefox can require the key to be typed in when you start it.
  Yep, and that is exactly how Safari could do better. Although it is bad if a program can access your local files, it can't do anything with those files as long as a passphrase is needed to decrypt them. Neither the Kaspersky article nor anyone here has mentioned this explicitly so far.
42. Re:Local file by Anonymous Coward · 2013-12-14 04:21 · Score: 0
  
  Defense in depth. Is that really so hard for people to understand?
  The words themselves are very simple. The concept really confuses people since they've never really had a chance to see it. This is simplest to see through people who want to accept spying on private individuals by the security services. They think that, because the NSA knows more about security than they do personally, giving the security people a copy of everything and then trusting it not to leak is okay.
43. Re:Local file by Anonymous Coward · 2013-12-14 10:06 · Score: 0
  
  Sigh, this is what happens when you give Unix to Mac users.
  Unix is a multi-user system. If someone else is reading files on your computer then that'll be because the files have group/world read permission set. And if software is setting that bit for private user data, the software is at fault.
  So you admit that the true problem here is that the "Nerds" here don't know that Mac users will actually do that.
44. Re:Local file by smash · 2013-12-15 04:54 · Score: 1
  
  Run filevault.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
45. Re:Local file by smash · 2013-12-15 04:55 · Score: 1
  
  If you want encryption, you run file vault. If someone is logged into your account, guess what?
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
46. Re:Local file by smash · 2013-12-15 04:56 · Score: 1
  
  What? This is why we have usernames and passwords to log into the computer.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
47. Re:Local file by smash · 2013-12-15 04:58 · Score: 1
  
  Throwing technology at a user problem is never going to work. You already have a solution: use a guest account on your mac.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
48. Re:Local file by smash · 2013-12-15 05:01 · Score: 1
  
  I"m sure the people stuck on Linux 2.0 are whinging about security too.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
49. Re:Local file by dwightk · 2013-12-15 17:46 · Score: 1
  
  wow, you have awful friends
  
  --
  Like anyone can even know that
50. Re:Local file by kommakazi · 2013-12-18 08:03 · Score: 1
  
  You're a fucking idiot, set up a Guest account.
51. Re:Local file by kommakazi · 2013-12-18 08:05 · Score: 1
  
  Well it's your own fault for not setting up a guest account and associating with sketchy people who you would let use your computer yet fear may steal your sensitive data. The problem is not the computer, it's you.
Perhaps... by Anonymous Coward · 2013-12-13 08:30 · Score: 0

Perhaps they should fire a darkness ray at it...
Hey by NoNonAlphaCharsHere · 2013-12-13 08:32 · Score: 5, Funny

When Apple says "easier to use", they mean for EVERYBODY.
Hmmm .... by gstoddart · 2013-12-13 08:33 · Score: 5, Interesting

So, as far as I can tell, Safari doesn't actually block 3rd party cookies despite saying it does, and stores your credentials in plain text.
Sounds like Apple have some issues on their hands.
Hell, in my experience with Safari on Windows, deleting a cookie causes WebKit2WebProcess to crash.

--
Lost at C:>. Found at C.
1. Re:Hmmm .... by JustOK · 2013-12-13 08:42 · Score: 1
  
  Hell, in my experience with Safari on Windows, deleting a cookie causes WebKit2WebProcess to crash.
  Works fine under wine in a vm running in the cloud.
  
  --
  rewriting history since 2109
2. Re:Hmmm .... by XxtraLarGe · 2013-12-13 09:21 · Score: 3, Informative
  
  So, as far as I can tell, Safari doesn't actually block 3rd party cookies despite saying it does, and stores your credentials in plain text.
  Yes it does. I know this because I had to disable the feature to access my banking site's eDeposit feature before it would work. Just go to Safari -> Preferences -> Privacy -> Block cookies from 3rd party sites.
  
  --
  Taking guns away from the 99% gives the 1% 100% of the power.
3. Re:Hmmm .... by BasilBrush · 2013-12-13 09:57 · Score: 2
  
  So, as far as I can tell, Safari doesn't actually block 3rd party cookies despite saying it does
  Any evidence for you claim?
4. Re:Hmmm .... by Anonymous Coward · 2013-12-13 13:13 · Score: 0
  
  So, as far as I can tell, Safari doesn't actually block 3rd party cookies despite saying it does
  If only Google had known what you know... They could have avoided that multimillion dollar settlement for privacy violation for the workaround they ("inadvertently") used.
5. Re:Hmmm .... by antdude · 2013-12-14 08:29 · Score: 1
  
  It's not just banking web sites too. Disqus and many others. :(
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
6. Re:Hmmm .... by gstoddart · 2013-12-16 02:08 · Score: 1
  
  Any evidence for you claim?
  Empirically, when I disable 3rd party cookies and visit a web site with Safari, I see a large amount of 3rd party cookies. Try something juice like the LA Times which has crap tons of advertising sites.
  So, assuming my instance isn't singularly broken, I conclude Safari does a piss-poor job of blocking 3rd party cookies.
  Google and others figured a way around it, and in my experience, it's essentially useless. Hell, Google paid a fine for having done so.
  
  --
  Lost at C:>. Found at C.
Why the surprise? by QuietLagoon · 2013-12-13 08:35 · Score: 5, Insightful

...'The complete authorized session on the site is saved in the plist file in full view despite the use of https...
HTTPS only ensures security between the browser and the web server. HTTPS is not designed to ensure security of what the browser decides to store locally.
1. Re:Why the surprise? by Anonymous Coward · 2013-12-13 08:43 · Score: 0
  
  It's surprising that sensitive information (password) being stored on a computer isn't being encrypted first, but instead is visible for all to see. Your right this is no fault of HTTPS this is a flaw in safari.
2. Re: Why the surprise? by xelah · 2013-12-13 08:52 · Score: 1
  
  We're you asked for a password for accessing the data? If not, then you really shouldn't be surprised. What did you think it was doing? It can't meaningfully encrypt it without a key.
3. Re:Why the surprise? by yincrash · 2013-12-13 08:57 · Score: 5, Informative
  
  Pidgin (formerly gaim) also keeps unencrypted creds. This is their reasoning..
4. Re: Why the surprise? by Havokmon · 2013-12-13 09:13 · Score: 1
  
  We're you asked for a password for accessing the data? If not, then you really shouldn't be surprised. What did you think it was doing? It can't meaningfully encrypt it without a key.
  A session ID would tell the server you were already, or previously, authenticated. It's up to the server to determine if you are still authenticated between browser sessions.
  Saving the password, encrypted or not, is not necessary.
  Of course, we're assuming the researcher didn't check the "save password' box, and then go 'OMG! My password is in clear text but the site is HTTPS!'. If that were true, then he's a moron. I hope they peer review their releases.
  
  --
  "I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
5. Re:Why the surprise? by Anonymous Coward · 2013-12-13 09:17 · Score: 0
  
  As does filezilla - people have been using that little hole to get root for a while now
6. Re:Why the surprise? by Anonymous Coward · 2013-12-13 10:06 · Score: 0
  
  Pidgin (formerly gaim) also keeps unencrypted creds. This is their reasoning..
  I understand their logic, and it makes sense I guess because they don't want to roll their own keyring system, but they really should make every attempt to integrate with any available system keyring out there.
  A centralized backup system could easily hoover up these files in a corporate environment and expose the information to an additional set of access controls and people.
  It's just an unnecessary additional attack vector that can allow people to impersonate other people in a complex environment. Your Kerberos stuff will expire somewhat quickly, but your password is sensitive for much longer.
7. Re:Why the surprise? by robmv · 2013-12-13 10:12 · Score: 2
  
  Wrong, use the OS provided keyring (OS X Keychain, GNOME keyring, Windows Credentials API, etc.) that protect your passwords with your local user credentials and only allow direct reading by the application that stored them. It is true that if your computer is compromised passwords are not safe either, but not all compromises have the same kind of access to a decrypt a keyring, but most if not all can read plain text files.
8. Re:Why the surprise? by jones_supa · 2013-12-13 10:34 · Score: 1
  
  ...'The complete authorized session on the site is saved in the plist file in full view despite the use of https...
  HTTPS only ensures security between the browser and the web server. HTTPS is not designed to ensure security of what the browser decides to store locally.
  Of course not, and no one is claiming that. What the article tries to say with "despite the use of https", is that the browser should do the right thing and continue the chain of safety when it has dealt with HTTPS material.
9. Re:Why the surprise? by AHuxley · 2013-12-13 11:53 · Score: 1
  
  Yes it provides one final task for malware to decrypt vs a plain text file for any gov/gov trained staff or skilled person to just 'find' as needed.
  
  --
  Domestic spying is now "Benign Information Gathering"
10. Re:Why the surprise? by Anonymous Coward · 2013-12-13 15:50 · Score: 0
  
  It is security on communication not on data! HTTPS is secure protocol to communicate between the server and the client(browser). It does not enforce what to do with session information so saying "despite the use of https" is moot. Encrypting session data is good but use of HTTPS to talk to the server has nothing to do with IT! Get it? They are separate things!
11. Re:Why the surprise? by jones_supa · 2013-12-13 20:24 · Score: 1
  
  Again, no one is claiming that they are the same thing. It's just not a bad idea if the browser also takes good care of data.
12. Re:Why the surprise? by QuietLagoon · 2013-12-14 17:03 · Score: 1
  
  Again, no one is claiming that they are the same thing.
  Perhaps you should chat with the author of the article. He seems to make that equation.
  .
  Maybe he did it just to grab headlines, or maybe he did it for other reasons. Who knows his intent?
  The bottom line is that page hits = $$
  He got a lot of page hits from the story here on /.
13. Re:Why the surprise? by Anonymous Coward · 2013-12-15 12:34 · Score: 0
  
  No but the "Cache-Control: no-store" and other options for this header can control this.
14. Re:Why the surprise? by kommakazi · 2013-12-18 08:13 · Score: 1
  
  Only visible to the user account it's created in. If you're letting other people use your user account, you are the problem, not the browser.
Really, Slashdot? by RedBear · 2013-12-13 08:39 · Score: 4, Informative

Again?
First, it's previous versions of Safari that are affected. Interesting how that isn't even mentioned.
Second, as already pointed out on the MacRumors forums, the stored "session" data is merely the URLs of the web pages you have open, which is passed over the wire in plain text anyway when you open or reopen the URL.
If you're encrypting your drive with FileVault and have a decent password on your user account, this becomes entirely an issue with the piss-poor security practices of the STUPID WEBSITES that are revealing your login information in plain text right in the URL. Any bookmark of such a URL with also "reveal" your "unencrypted" login credentials. Which is entirely the fault of the website.
Also, it's fixed in latest Safari.
So... yeah. End of the world, apparently.
1. Re:Really, Slashdot? by Geoffrey.landis · 2013-12-13 08:52 · Score: 1
  
  ...Second, as already pointed out on the MacRumors forums, the stored "session" data is merely the URLs of the web pages you have open, which is passed over the wire in plain text anyway when you open or reopen the URL.
  along with the password and login.
  from the article: "the login and password are not encrypted (see the red oval in the screenshot).
  
  --
  http://www.geoffreylandis.com
2. Re:Really, Slashdot? by Anonymous Coward · 2013-12-13 09:01 · Score: 1
  
  SSL (https) only sends the HOST as part of the request header unencrypted, the /GET (i.e. path and variables) are transmitted encrypted. Therefore the full URL with paths and variables exposes more than what would normally be visible "over the wire".
3. Re:Really, Slashdot? by RedBear · 2013-12-13 09:18 · Score: 5, Informative
  
  ...Second, as already pointed out on the MacRumors forums, the stored "session" data is merely the URLs of the web pages you have open, which is passed over the wire in plain text anyway when you open or reopen the URL.
  along with the password and login.
  from the article: "the login and password are not encrypted (see the red oval in the screenshot).
  Yes, I know. The login and password credentials in the red oval are encoded in the stored URL of a web page that was open in a tab in a Safari browsing session. Those URLs are created by the websites you visit, not by Safari. Safari just stores the URLs so that your tabs can be reloaded when you reopen the browser. Safari isn't secretly copying your login data in plain text and then failing to encrypt it, it's just storing the URLs you currently have open in your browsing session. There's nothing sinister or incompetent going on here.
  It's good that they are now encrypting the stored browser session file. It certainly doesn't hurt anything to have another layer of protection. But that same URL information will be stored, unencrypted, in any bookmark that you make when visiting such a website while you are logged in. If someone sits at your computer and examines your bookmarks or looks at the URL in your open tabs they will see your login credentials in such URLs. Unless you want to be forced to enter a master password every time you try to edit a bookmark, use a bookmark, or examine the URL in the address bar, there is no solution to this. The solution for protecting the saved session file is FileVault, and locking your computer when you aren't sitting in front of it, which is exactly the same way you protect all the other vulnerable data in your user account.
  The root cause of the login credentials being revealed in plain text in bookmarks, the session file and the address bar is the deplorable practice of websites putting your login and password in the URL in plain text. The solution to this is to smack the websites upside the head until they modify their security practices.
4. Re:Really, Slashdot? by RedBear · 2013-12-13 09:29 · Score: 1
  
  SSL (https) only sends the HOST as part of the request header unencrypted, the /GET (i.e. path and variables) are transmitted encrypted. Therefore the full URL with paths and variables exposes more than what would normally be visible "over the wire".
  Thanks, I didn't know that.
  Nevertheless the practice of putting login credentials in the URL is extremely bad and the session file with saved URLs is just one of several places where someone accessing your computer can see URLs, like in the address bar itself and in saved bookmarks. Encrypting the session file is sort of like putting a bandaid on a severed femoral artery. Another bandaid would be encrypting HTTPS bookmarks and obscuring the text in the address bar on HTTPS sites unless you enter a master password to reveal it. But that would be kind of ridiculous, wouldn't it?
  The websites that are still putting your username and password in their URLs are the ones who should be named and shamed. Whether they are using SSL or not, it's a terrible practice, for precisely the reason that you have no idea how the URLs may be stored or revealed by the end user's computer.
5. Re:Really, Slashdot? by Maestro485 · 2013-12-13 09:30 · Score: 1
  
  The LastSession.plist file stores way, way more data than just URL's.
  When I log into my bank account, my username and password are not in the URL and certainly not passed unencrypted over the wire. They are happily stored in the LastSession.plist file though.
  I'm using Safari 7 on Mavericks, so it clearly isn't fixed in the latest version.
6. Re:Really, Slashdot? by kwark · 2013-12-13 09:40 · Score: 1
  
  "Thanks, I didn't know that."
  You didn't know that because it is not true. SSL encrypts everything before anything is send. That is why (before SNI) it is impossible to have multiple certificates for multiple virtualhosts on 1 ip adress: the host that is being queried and has to match a certificate CN isn't known at the time of the SSL handshake.
7. Re:Really, Slashdot? by Anonymous Coward · 2013-12-13 09:50 · Score: 0
  
  Look closer. It's not the part of a URL - it's a part of form data.
  If you track back, you'll see that URL is just "http://gmail.com/", and then follows "application/x-www-form-urlencoded", which contains that login and password.
  It doesn't show up on the screen like that - it's sent as a POST request, and "restoring the session" this way in this specific case sounds weird - there's that thing called "cookie", which keeps your session open between browser shutdowns, is not replayable and doesn't contain the auth info to steal...
8. Re: Really, Slashdot? by Anonymous Coward · 2013-12-13 09:53 · Score: 0
  
  Forth, the entire flash storage is encrypted with the unlock keypad or pin.
9. Re:Really, Slashdot? by RedBear · 2013-12-13 10:01 · Score: 1
  
  The LastSession.plist file stores way, way more data than just URL's.
  When I log into my bank account, my username and password are not in the URL and certainly not passed unencrypted over the wire. They are happily stored in the LastSession.plist file though.
  I'm using Safari 7 on Mavericks, so it clearly isn't fixed in the latest version.
  So you're saying you found your banking website login credentials stored in plain text in your LastSession.plist file while you were using Safari 7, and that information is absolutely not in the URL of the web page?
  I can't replicate this using my banking site with Safari 7.0 on Mavericks. Nothing shows up when I grep my LastSession.plist file after logging in to my bank's website. Not my username or my password. By all means report it if true. I can't imagine how Apple would really be dumb enough to store secure login data that belongs in the keychain in a simple plain text plist file, but if you have evidence that they are that dumb, reveal it. They should by all means be slapped if so.
  The only evidence that I've so far seen is a screenshot of login credentials revealed in a URL, which they just didn't encrypt in exactly the same way that bookmarks aren't encrypted. What you're claiming you've seen would be a far worse security screw up than just storing URLs unencrypted.
10. Re:Really, Slashdot? by pegr · 2013-12-13 10:02 · Score: 1
  
  Almost right. The host header is encrypted. The target IP address is in-the-clear for obvious reasons. Your IP stack does not connect to DNS names. It connects to IP addresses. DNS resolves the DNS name, then the stack connects to the address.
  Now the DNS name might be unencrypted during the SSL negotiation, but that's not the HTTP header, as your browser has to decide if it likes the SSL cert before it negotiates. Part of that check is "does the host name match the cert?". I'd look up SSL negotiation details, but I'm lazy.
11. Re:Really, Slashdot? by BasilBrush · 2013-12-13 10:05 · Score: 1
  
  The LastSession.plist file stores way, way more data than just URL's.
  Yeah, it stores window sizes and stuff like whether toolbars and tabs are hidden. Big deal.
  http://www.appleexaminer.com/MacsAndOS/Analysis/HowTo/SafariBrowserAnalysis/files/multiple-lastsession.png
  
  When I log into my bank account, my username and password are not in the URL and certainly not passed unencrypted over the wire. They are happily stored in the LastSession.plist file though.
  Feel free to supply a suitably masked copy of the lines from your own LastSession.plist that you believe is doing that.
12. Re:Really, Slashdot? by RedBear · 2013-12-13 10:34 · Score: 1
  
  Look closer. It's not the part of a URL - it's a part of form data.
  If you track back, you'll see that URL is just "http://gmail.com/", and then follows "application/x-www-form-urlencoded", which contains that login and password.
  It doesn't show up on the screen like that - it's sent as a POST request, and "restoring the session" this way in this specific case sounds weird - there's that thing called "cookie", which keeps your session open between browser shutdowns, is not replayable and doesn't contain the auth info to steal...
  If this is true (and it certainly appears to be), then I guess that implies that the user credential data was in fact constructed by Safari and not included in a URL by the website, and I'm a moron and most of my previous posts should be modded down to oblivion. Also, Apple should be slapped for bad security practices and revealing user passwords and logins in plain text outside of the keychain. Unfortunately I am at my limit of knowing how to parse the information from the screenshot and know where it really came from. So, I'll shut up now.
  I can at least confirm that passwords are not revealed in this way with Safari 7.0 on Mavericks. When I log in to Gmail and grep for my password in LastSession.plist I get no match.
13. Re:Really, Slashdot? by Anonymous Coward · 2013-12-13 10:42 · Score: 0
  
  Actually, some other comment on this page claims it's fixed in 6.1, available for older OS X versions since October, and the article speaks about 6.0.5.
  Still, article says how they "informed Apple about the problem" - may be they had that post hidden after disclosure to Apple to give them time to fix it, and now it auto-published or something...
14. Re:Really, Slashdot? by Anonymous Coward · 2013-12-13 15:58 · Score: 0
  
  Apache has supported "multiple certificates for multiple virtual hosts on 1 ip address" for quite some years already. You probably haven't checked almost for a decade!
15. Re:Really, Slashdot? by viperidaenz · 2013-12-13 17:17 · Score: 1
  
  It doesn't appear the login and password are stored in the URL.
  It appears they're the body of a POST request, hence the url-encode/www-forms shit that precedes it.
  So what really happened, was there was a form being submitted to an HTTPS url. That data was never sent anywhere in plain text. Safari then stored the entire request in plain text and saved it to the hard drive.
16. Re:Really, Slashdot? by viperidaenz · 2013-12-13 17:23 · Score: 1
  
  Unless you're connecting through a proxy, then the CONNECT command sends the hostname, not the IP, since your machine may not have access to a DNS server that can resolve hostnames outside the local network.
17. Re:Really, Slashdot? by kwark · 2013-12-13 22:58 · Score: 1
  
  And that technique is called: SNI
  And even though the servers supported it for a "long" time, some clients didn't, most notably the mobile browsers.
18. Re:Really, Slashdot? by konohitowa · 2013-12-17 03:25 · Score: 1
  
  When I log into my bank account, my username and password are not in the URL and certainly not passed unencrypted over the wire. They are happily stored in the LastSession.plist file though.
  Feel free to supply a suitably masked copy of the lines from your own LastSession.plist that you believe is doing that.
  I suspect that someone doesn't know exactly where the autofill passwords come from (Keychain) and assumes that they're in the LastSession properties list.
Comparison? by Anonymous Coward · 2013-12-13 08:42 · Score: 1

What do other browsers do?
1. Re:Comparison? by unixisc · 2013-12-13 08:52 · Score: 1
  
  Particularly Camino?
2. Re:Comparison? by thedbp · 2013-12-13 09:45 · Score: 1
  
  I'd mod this Funny if I had points, but I don't, so I'll just say thanks for the laugh.
Not in current version by Anonymous Coward · 2013-12-13 08:42 · Score: 0

Summary is in present tense, but per the article, this applies only to older versions of Safari (6.0.5 on Lion and Mountain Lion.) The current version of Safari is 7 (on Mavericks) and 6.1 (on Lion and Mountain Lion.)
1. Re:Not in current version by Anonymous Coward · 2013-12-13 08:49 · Score: 5, Informative
  
  Summary is in present tense, but per the article, this applies only to older versions of Safari (6.0.5 on Lion and Mountain Lion.) The current version of Safari is 7 (on Mavericks) and 6.1 (on Lion and Mountain Lion.)
  And to be perfectly clear...the current versions, 6.1 and 7, do NOT have this issue.
  http://www.zdnet.com/safari-on-mac-os-exposes-web-login-credentials-7000024287/
  So the news is basically, "Older version of software has bug which is patched in current version."
only if window is still open at quit by hyperorbiter · 2013-12-13 08:46 · Score: 1

as far as i can tell, if you close the tab before you quit, it won't store the data. not ideal, but something worth telling users about until a fix comes...
1. Re:only if window is still open at quit by dwightk · 2013-12-15 17:51 · Score: 1
  
  something worth telling users about until they install the fix that came out a couple months ago.
  
  --
  Like anyone can even know that
Massively overblown issue? by Alsee · 2013-12-13 08:47 · Score: 4, Insightful

Encrypting the data certainly isn't a bad idea, but unless I'm missing something here, encrypting the data is nothing more than a lame case of security through obscurity. If the browser stores the data encrypted, then the browser also needs to store the KEY to re-open the file. If someone can get a hold of the file, then they can also get a hold of the key to decrypt that file.
If there's a security problem here, it's the Restore Session functionality itself. Perhaps secure sessions shouldn't be restorable?
-

--
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
1. Re:Massively overblown issue? by tlhIngan · 2013-12-13 08:53 · Score: 1
  
  Perhaps secure sessions shouldn't be restorable?
  Which is great, if there aren't sites that use HTTPS because they can, thus making session restore completely useless.
  It's fine if it's only stuff that needs to be secure like your banking and such, but when they start securing web forums and other things....
2. Re:Massively overblown issue? by chuckugly · 2013-12-13 08:56 · Score: 1
  
  Or they should require the user to re-enter the credentials during the restoration.
3. Re:Massively overblown issue? by Anonymous Coward · 2013-12-13 09:23 · Score: 0
  
  Better fix. Everyone stop being lazy and requiring that their web browser re open all pages that you had open previously? It would take less time, processing power, and bandwidth to only open the one page you need than to restore all 500 tabs at once (even if they don't "load the page" until you click on them).
  Secret side effect: Everyone would start to notice their memory improving slowly over time due to having to actually remember things.
4. Re:Massively overblown issue? by Dynedain · 2013-12-13 09:24 · Score: 1
  
  If the browser prompted for a password every time it was launched, you'd quickly find that most people would disable the feature.
  The need for security like this has to be weighed against the desire for convenience.
  
  --
  I'm out of my mind right now, but feel free to leave a message.....
5. Re:Massively overblown issue? by kwark · 2013-12-13 09:44 · Score: 1
  
  OSX appears to have something called a keychain, store the password to crypt there and keep the store encrypted.
6. Re:Massively overblown issue? by keytoe · 2013-12-13 09:48 · Score: 1
  
  Or they should require the user to re-enter the credentials during the restoration.
  Technically, that's what happens. Safari doesn't store any credentials itself, they're stored in the system keychain and Safari asks the keychain whenever it needs a key. The keychain itself has a master password and its contents are encrypted.
  On the other hand, by default the keychain password is set to the login password and is automatically unlocked when the user logs in. Further, most users choose to have their computers automatically log in at boot - so there is no effective protection if someone gets ahold of their computer.
  You can change those defaults to be more secure. Apple chose not to make that the default as most people simply don't care.
  Personally, my keychain password is different, my computer doesn't automatically log me in, and the keychain locks itself after 15 minutes or system sleep. This is annoying as I have to authenticate myself every time an application needs something from the keychain - something a regular user wouldn't put up with.
  
  --
  Culture is more than commerce
7. Re:Massively overblown issue? by Anonymous Coward · 2013-12-13 17:26 · Score: 0
  
  Absolutely key point here. There's another aspect that no one seems to be considering..so okay, the malware or hacker is local on my system, what is to stop them from overwriting a shared library or similar that my browser uses? So.. the credentials are stored encrypted-- right next to the key used to decrypt it. And great, okay, lets prompt the user for a password to decrypt the encrypted key to decrypt the encrypted session data.. and we're going to protect the libraries from the attacker and make sure that password prompt isn't actually just a trojaned version of the prompt how exactly?
  Oh I know, we could sign all of the libraries and executables and then require a password to load unsigned ones.. wait thats called UAC and no one likes that, besides, then Iran will just hack a registrar and get signed binaries and the NSA will just FISA their way into it. HRM.
  Okay, well fuck it, store the data unencrypted because there is no sane way to secure it that doesnt recursively make the users life a pain in the ass for an attack scenario that in essence truly doesnt matter. You don't even know youre actually executing safari at that point and we're blathering about a .plist file.
8. Re:Massively overblown issue? by viperidaenz · 2013-12-13 17:27 · Score: 1
  
  That's when you store the key in the OS's keystore, so it at least requires the correct user to be logged in.
9. Re:Massively overblown issue? by smash · 2013-12-15 05:06 · Score: 1
  
  If the browser is sitting at a logged in desktop then presumably they are authenticated. If you are leaving your desktop logged in, unattended, etc. there are far bigger problems here.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
The missing store nothing option by Anonymous Coward · 2013-12-13 08:50 · Score: 0

I just wish there were an option to store nothing or keep shit in ram which dies with the browser process except for sites you want to keep long term sessions with. All the browsers constantly write all kinds of shit to disk in the form of cookies, histories, cached files. Information used against you constantly to track your every move and potentially accessible by prosecutors normally incentivized by prosecution rates rather than search for truth to twist all traffic and search terms into grand criminal conspiracies.
First-world problems strike again! by Anonymous Coward · 2013-12-13 08:51 · Score: 0, Funny

What a tragic first-world problem. Do we need to hold candlelight vigils to share in this tragedy?
1. Re:First-world problems strike again! by Anonymous Coward · 2013-12-13 08:59 · Score: 0
  
  If you're not in the "first world", you don't have much incentive to read slashdot...
2. Re:First-world problems strike again! by NoNonAlphaCharsHere · 2013-12-13 09:00 · Score: 3, Funny
  
  We're talking about Macs. It's a first-world problem by definition.
3. Re:First-world problems strike again! by Anonymous Coward · 2013-12-13 09:48 · Score: 0
  
  It's true: Macs are a first-world problem.
4. Re:First-world problems strike again! by Anonymous Coward · 2013-12-13 10:00 · Score: 0
  
  Not true. They are also problems for the third-world slaves who make them.
Information Loss? by craighansen · 2013-12-13 09:01 · Score: 2

The rest of the summary would be consistent with labelling this as an "Information Leak" rather than "Information Loss." ...or perhaps the author meant a loss of security or privacy. Can I beg for summary writers and editors to try harder to get at least the first sentence clear and correct?
1. Re:Information Loss? by jo_ham · 2013-12-14 05:07 · Score: 1
  
  You'll first have to get them to make sure the story as a whole is correct - this issue has been patched for a while and only affects old versions of Safari that are limited to 10.7 and 10.8 (and an update on those older systems fixed it there too). Safari on 10.9 has never been affected.
  This issue was fixed at least 2 months ago.
Chrome sucks, Safari sucks, IE sucks. FF FTW. by rsborg · 2013-12-13 10:01 · Score: 1

So, as far as I can tell, Safari doesn't actually block 3rd party cookies despite saying it does, and stores your credentials in plain text.
Sounds like Apple have some issues on their hands.
Hell, in my experience with Safari on Windows, deleting a cookie causes WebKit2WebProcess to crash.
Looks like the only major browser that really your needs seriously is Firefox. Given thats the sole purpose of the organization that produces it, that is a lot more re-assuring to me. Go FF.

--
Make sure everyone's vote counts: Verified Voting
Re:Chrome sucks, Safari sucks, IE sucks. FF FTW. by mlts · 2013-12-13 10:10 · Score: 1

I respect that FF has its own authentication/encryption mechanism in place and can be set to require a password before access to passwords or other local data is granted. I wish more Web browsers did this, as opposed to relying on the OS for security.
My new plugin idea by InlawBiker · 2013-12-13 10:35 · Score: 1

Encrypt the local disc cache with a hash, just in case somebody gets into my file system later and pokes around in my history. To pull back from cache it automatically brute-forces it for you. Hope you weren't going to use your browser for anything over the next thousand years.
What browser doesn't? by FuzzNugget · 2013-12-13 13:40 · Score: 1

Am I to believe that other browsers -- Firefox, Chrome, Opera, IE -- store their session and save data in an encrypted file or container? And even if they don't, so what? If someone has access to your browser's data folder, they can access your session data by, y'know, opening the browser with it pointed to the folder. Not to mention, that they have access to your files, which is a bigger problem in itself.
And please do explain to me how browsers' saved credentials should be stored in an encrypted manner without prompting the user for a master key.
1. Re:What browser doesn't? by Anonymous Coward · 2013-12-13 13:58 · Score: 0
  
  The point is, if you missed it, that those versions of Safari basically restore some of opened tabs on launch _by storing and re-sending authentication forms on those web pages_. It's not about cookies or form auto-fill and I don't think other browsers do that.
2. Re:What browser doesn't? by viperidaenz · 2013-12-13 17:29 · Score: 1
  
  I don't believe any other browser stores the data in a POST request to an HTTPS site.
Exasperated sigh by xfurious · 2013-12-13 14:24 · Score: 2

All this article means is that Google has a bug to fix with regards to the post back response on the GMail login page.
Some in this discussion say things like:

along with the password and login.
from the article: "the login and password are not encrypted (see the red oval in the screenshot).
Let's be clear here. The only time that any browser's session restore feature would store your username and password is because it's part of the HTTP request itself. An HTTP request can be a GET or a POST. Good web developers never send sensitive information in a GET, nor should a GET actually _do_ anything other than get a resource. POST requests should be used for this instead, which do not convey the private information in the URL bar. Now, POST requests are not inherently more secure than GETs, and the data they pass is actually in the same format as the data in URL-based GET requests, and just as visible to observers on the network. I'm just getting some of the technical background set for all of the (clearly *very*) technical people who read Slashdot these days.
The "problem" is that older versions of Safari stores the details of POST requests "unencrypted". Which is fine because any encryption is meaningless if decryption can be done without user intervention. You would not encrypt some file and then place the key next to it and then store it that way would you? Nonetheless, this is exactly what happens when the encryption key is stored on the same volume as the encrypted file. If it can be found by software then it can be found by an attacker.
The really funny part is that this looks like the page Safari saved was a GMail login attempt which was unsuccessful (duh? the credentials are clearly not real). Google is doing authentication (almost) the right way here fellas, the only time that using GMail involves having your plaintext credentials in a POST request is during login and login alone. From there on out it's just record keeping (valid session list on the server, and a known session ID in the hands of each client).
You can see this for yourself by opening up an Incognito session and going to gmail.com, and typing fake credentials (i don't know, "kaspersky_user" and "kaspersky_pass" come to mind for some reason), then on the "Invalid login" page, hit refresh. You will be prompted by your browser to resend the login credentials. There! You see that the browser _still has_ your login credentials from before! AMAZING! Did you know that if you leave that tab untouched for three days your creds will still be resent again when you finally refresh??
Safari like any other browser with a restore session feature, saves that POST data. Because it's just POST data to the browser. And if you are sitting on a page that is itself the result of a POST request, the browser MUST save that data if it intends to give you the same page when you return... by both specification and convention. Google can fix this particular issue by redirecting their invalid logins back to GET requests like the rest of the civilized world. That protects their users account credentials from inadvertent storage on disk.
The more interesting part is how someone would think that this would be immediately dangerous, because had the user successfully logged in, they would not have been sitting on that POST request would they! That's right the credentials would have long vanished and would never have made their way to disk. The only time this would happen in practicality is when the credentials were NOT correct. Don't get me wrong, that can still be valuable to an attacker, but its a Google bug not a Safari one anyway. Nonetheless in GMail's situation, this is a rare and definitely not reliably exploitable issue from the perspective of potential attackers.
I cannot stress enough that credential leaks within a session backing file on a hard disk is only a problem when the site itself messes up or is written improperly and/or insecurely. And on the local side: If you d
1. Re:Exasperated sigh by viperidaenz · 2013-12-13 17:38 · Score: 1
  
  Data sent over a secure connection should not be stored on the hard drive in plain text. The only place it should ever be is in the private memory space of the browser.
  That's why your browser doesn't cache files from an HTTPS url on your hard drive.
  Storing the URL for the history, not so bad
  Storing the post data so it can be resubmitted, bad. A user should also always be warned when a post request is being resubmitted, since the HTTP RFC's only says get, head, put and delete should be idempotent.
  RFC2616:
  
  In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered "safe". This allows user agents to represent other methods, such as POST, PUT and DELETE, in a special way, so that the user is made aware of the fact that a possibly unsafe action is being requested.
2. Re:Exasperated sigh by xfurious · 2013-12-14 08:14 · Score: 1
  A user should also always be warned when a post request is being resubmitted, since the HTTP RFC's only says get, head, put and delete should be idempotent.
  RFC2616:
  
  In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered "safe". This allows user agents to represent other methods, such as POST, PUT and DELETE, in a special way, so that the user is made aware of the fact that a possibly unsafe action is being requested.
  While I agree with your sentiment here (I would prefer my browser to just not save any POST data at all for tab recovery since its so extremely rare that doing so would actually be useful), the RFC section you quote does not specify anything about persistence of resources to backing storage. It simply indicates the way browsers should treat these resources in a general sense. And according to the verbiage you have provided, Safari, Chrome and Firefox are all working as expected, because that paragraph is actually telling the browsers that automatic resubmission of non-GET requests can (and almost always does) have side effects (such as doing a duplicate post to a forum for instance).
  Indeed my original post indicates briefly that I was already well-aware of this distinction between GET requests being idempotent (ie has no side effects) and other requests not being safe for resubmission. All modern standards-compliant browsers warn the users before resending the results of POST requests (Are you sure you want to resubmit?). Furthermore, none of these three major browsers (Chrome, Safari, Firefox) will act upon POST requests when they are pulled out of the session recovery feature.
  Although respecting idempotency of non-GET requests is not at issue in this topic, I nonetheless tested this as a side effect (huzzah) of seeing how common the storage of POST data for recovery actually is.
  Chrome
  Chrome has an interesting behavior when it comes to storing POST data for reopening later, it appears to save the response content of an HTTP POST and does not resubmit the POST request. The user is presented with the content they saw when they initially sent the POST request. Nonetheless one can refresh (with Are you sure you want to resubmit) and the data will be resent in a new POST request. So Chrome is storing HTTP POST data for reuse when the tab is restored.
  For HTTPS POST resources however, Chrome will _not_ automatically restore the page content from its backing store (and by implication likely does not save it) and also will not resend the request until the user manually refreshes the page. HOWEVER, at that point all of the original data from the first POST request is resent. Thus HTTPS POST data _is_ persisted by Chrome.
  Firefox
  Firefox has completely different behavior. From my testing it will save POST resources as GET resources, and when they are restored, I receive a new fresh GET request from my test server. So, Firefox is NOT saving POST data for reuse upon tab recovery.
  Conclusion
  I'm not saying that the RFC doesn't matter because it does. Chrome should be changed to be more in line with it. Regardless of whether it is best practice for browser makers to persist this data or not, my argument about the unreliable exploitation of this problem stands because the only time this is a problem is when a website delivers a POST response without an immediate redirect, which all sites SHOULD be doing.
  The only time this isn't the case is when the resource presenting the login HTML form is also the action of the form it contains (or some variant of this situation). Now *that* is a bad practice that remains bad no matter what browser you are using.
  Test Methods
  Browser versions I tested with:
  
  Chrome: 30.0
3. Re:Exasperated sigh by xfurious · 2013-12-14 08:23 · Score: 1
  
  Also (not to double post but), while I could have tested the assertion that browsers do not cache HTTPS resources, I think I will just let StackOverflow handle that one.
  
  By default web browsers should cache content over HTTPS the same as over HTTP, unless explicitly told otherwise via the HTTP Headers received
  http://stackoverflow.com/questions/174348/will-web-browsers-cache-content-over-https
  That's from the accepted answer with 79 up votes. The second answer which has 119 upvotes says:
  
  As of 2010, all modern, current-ish browsers cache HTTPS content by default, unless explicitly told not to.
Lack of encryption is not the issue by gweihir · 2013-12-13 20:27 · Score: 1

That the data is stored at all is the issue. Even if encrypted, the key would be readily available from analyzing the application or tracing its calls.
Software people still do not get security at all. This is pathetic.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Unable to replicate by Davidge · 2013-12-13 22:36 · Score: 1

So, out of curiosity, since I am on a Mac and using Safari as my main browser, I thought I'd see what was in the offending file. I have a in excess of 20 tabs open at the moment, a good deal of them to authenticated sites via https.
A quick test in Terminal like so:
$ strings LastSession.plist | grep -i pass
Produced 8 lines that matched, of which 6 matched on the word "passive" and the last two were urls that contained the word "ChangePassword". A more thorough search through the file did not produce any login credentials or passwords.
I should point out this is with the latest release version of Safari 7.0 (9537.71)

--
David de Groot Snr Systems Engineer
1. Re:Unable to replicate by jo_ham · 2013-12-14 05:11 · Score: 1
  
  You can't replicate it because Apple fixed this 2 months ago with Safari 6.1 on Lion/ML and with Safari 7 on Mavericks.
  It only affects Safari 6.