Slashdot Mirror

← Back to Stories (view on slashdot.org)

Safari Stores Previous Browsing Session Data Unencrypted

Posted by Soulskill on from the security-through-obscurity dept.

msm1267 writes "Users of Apple's Safari browser are at risk for information loss because of a feature common to most browsers that restores previous sessions. The problem with Safari is that it stores session information including authentication credentials used in previous HTTPS sessions in a plaintext XML file called a Property list, or plist, file. The plist files, a researcher with Kaspersky Lab's Global Research and Analysis Team said, are stored in a hidden folder, but hiding them in plain sight isn't much of a hurdle for a determined attacker. 'The complete authorized session on the site is saved in the plist file in full view despite the use of https,' said researcher Vyacheslav Zakorzhevsky on the Securelist blog. 'The file itself is located in a hidden folder, but is available for anyone to read.'"

2 of 135 comments (clear)

  1. Re:Local file by Anonymous Coward · · Score: 5, Insightful

    And here we go again: someone claims that "if something is not completely perfect, it's completely useless".

    Look, even if someone gets local access to your files, you are still less fucked if some of them are encrypted.

  2. Why the surprise? by QuietLagoon · · Score: 5, Insightful

    ...'The complete authorized session on the site is saved in the plist file in full view despite the use of https...

    HTTPS only ensures security between the browser and the web server. HTTPS is not designed to ensure security of what the browser decides to store locally.