Slashdot Mirror

← Back to Stories (view on slashdot.org)

Safari Stores Previous Browsing Session Data Unencrypted

Posted by Soulskill on from the security-through-obscurity dept.

msm1267 writes "Users of Apple's Safari browser are at risk for information loss because of a feature common to most browsers that restores previous sessions. The problem with Safari is that it stores session information including authentication credentials used in previous HTTPS sessions in a plaintext XML file called a Property list, or plist, file. The plist files, a researcher with Kaspersky Lab's Global Research and Analysis Team said, are stored in a hidden folder, but hiding them in plain sight isn't much of a hurdle for a determined attacker. 'The complete authorized session on the site is saved in the plist file in full view despite the use of https,' said researcher Vyacheslav Zakorzhevsky on the Securelist blog. 'The file itself is located in a hidden folder, but is available for anyone to read.'"

23 of 135 comments (clear)

  1. Local file by Anonymous Coward · · Score: 5, Informative

    If someone else is reading files on your computer, you're already screwed!

    1. Re:Local file by Anonymous Coward · · Score: 5, Insightful

      And here we go again: someone claims that "if something is not completely perfect, it's completely useless".

      Look, even if someone gets local access to your files, you are still less fucked if some of them are encrypted.

    2. Re:Local file by Anonymous Coward · · Score: 2, Insightful

      Physical access = surfing history is the least of your problems.

    3. Re:Local file by Anonymous Coward · · Score: 2, Informative

      If that's the threat you're concerned with, why not encrypt your sensitive files yourself instead of expecting your browser to encrypt one of your sensitive things?

    4. Re:Local file by Anonymous Coward · · Score: 2, Insightful

      Defense in depth. Is that really so hard for people to understand?

    5. Re:Local file by BasilBrush · · Score: 2

      Right, and the multi-user element of OSX will prevent other users from reading this file.

    6. Re:Local file by Anonymous Coward · · Score: 2, Informative

      I don't expect a browser to litter my filesystem with unencrypted sensitive data for no good reason. And if they are hidden, there should be no expectation that users manage them.

    7. Re:Local file by Anubis+IV · · Score: 5, Informative

      Quite true, but it's worth pointing out that the summary (and articles) conveniently left out the fact that this information has been encrypted for months; the issue was addressed by a Safari update that came out with Mavericks and was made available for older versions of the OS.

      In fact, the issue is specific to an outdated version of Safari (v6.0.5) that only runs on outdated versions of OS X (10.7 Lion and 10.8 Mountain Lion). Anyone who installed the free OS X 10.9 Mavericks update that came out back in October is fine, since it came with Safari 6.1, which fixed the issue. For those users who stuck with 10.7 or 10.8, OS X's built-in Software Update feature runs once a week by default, so most of them have been getting prompts since October to do a one-click upgrade that would address this issue, since Safari 6.1 is available to all of them as well.

      Long story short, this is a non-issue that affects a trivial portion of the Mac user base, since updates were issued months ago and the systems are configured such that the fix would be widely applied by default. Even so, we can agree that if you compromise physical access, you've compromised the system.

    8. Re:Local file by Bert64 · · Score: 3, Insightful

      Which means you need to enter your key every time you start the browser...
      If the browser has a way of automatically knowing the decryption key, then so does a hacker.

      Also, previous session data should be useless - the sessions should have expired, or been closed when you logged out. Most sites that offer the option to stay logged in warn you against doing so on a system you don't trust.

      And i'm pretty sure other browsers don't store persistent cookies very securely either, they used to be in a plain text file and they can certainly be viewed/user from within most browsers without having to ever supply a decryption key.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  2. Hey by NoNonAlphaCharsHere · · Score: 5, Funny

    When Apple says "easier to use", they mean for EVERYBODY.

  3. Hmmm .... by gstoddart · · Score: 5, Interesting

    So, as far as I can tell, Safari doesn't actually block 3rd party cookies despite saying it does, and stores your credentials in plain text.

    Sounds like Apple have some issues on their hands.

    Hell, in my experience with Safari on Windows, deleting a cookie causes WebKit2WebProcess to crash.

    --
    Lost at C:>. Found at C.
    1. Re:Hmmm .... by XxtraLarGe · · Score: 3, Informative

      So, as far as I can tell, Safari doesn't actually block 3rd party cookies despite saying it does, and stores your credentials in plain text.

      Yes it does. I know this because I had to disable the feature to access my banking site's eDeposit feature before it would work. Just go to Safari -> Preferences -> Privacy -> Block cookies from 3rd party sites.

      --
      Taking guns away from the 99% gives the 1% 100% of the power.
    2. Re:Hmmm .... by BasilBrush · · Score: 2

      So, as far as I can tell, Safari doesn't actually block 3rd party cookies despite saying it does

      Any evidence for you claim?

  4. Why the surprise? by QuietLagoon · · Score: 5, Insightful

    ...'The complete authorized session on the site is saved in the plist file in full view despite the use of https...

    HTTPS only ensures security between the browser and the web server. HTTPS is not designed to ensure security of what the browser decides to store locally.

    1. Re:Why the surprise? by yincrash · · Score: 5, Informative

      Pidgin (formerly gaim) also keeps unencrypted creds. This is their reasoning..

    2. Re:Why the surprise? by robmv · · Score: 2

      Wrong, use the OS provided keyring (OS X Keychain, GNOME keyring, Windows Credentials API, etc.) that protect your passwords with your local user credentials and only allow direct reading by the application that stored them. It is true that if your computer is compromised passwords are not safe either, but not all compromises have the same kind of access to a decrypt a keyring, but most if not all can read plain text files.

  5. Really, Slashdot? by RedBear · · Score: 4, Informative

    Again?

    First, it's previous versions of Safari that are affected. Interesting how that isn't even mentioned.

    Second, as already pointed out on the MacRumors forums, the stored "session" data is merely the URLs of the web pages you have open, which is passed over the wire in plain text anyway when you open or reopen the URL.

    If you're encrypting your drive with FileVault and have a decent password on your user account, this becomes entirely an issue with the piss-poor security practices of the STUPID WEBSITES that are revealing your login information in plain text right in the URL. Any bookmark of such a URL with also "reveal" your "unencrypted" login credentials. Which is entirely the fault of the website.

    Also, it's fixed in latest Safari.

    So... yeah. End of the world, apparently.

    1. Re:Really, Slashdot? by RedBear · · Score: 5, Informative

      ...Second, as already pointed out on the MacRumors forums, the stored "session" data is merely the URLs of the web pages you have open, which is passed over the wire in plain text anyway when you open or reopen the URL.

      along with the password and login.

      from the article: "the login and password are not encrypted (see the red oval in the screenshot).

      Yes, I know. The login and password credentials in the red oval are encoded in the stored URL of a web page that was open in a tab in a Safari browsing session. Those URLs are created by the websites you visit, not by Safari. Safari just stores the URLs so that your tabs can be reloaded when you reopen the browser. Safari isn't secretly copying your login data in plain text and then failing to encrypt it, it's just storing the URLs you currently have open in your browsing session. There's nothing sinister or incompetent going on here.

      It's good that they are now encrypting the stored browser session file. It certainly doesn't hurt anything to have another layer of protection. But that same URL information will be stored, unencrypted, in any bookmark that you make when visiting such a website while you are logged in. If someone sits at your computer and examines your bookmarks or looks at the URL in your open tabs they will see your login credentials in such URLs. Unless you want to be forced to enter a master password every time you try to edit a bookmark, use a bookmark, or examine the URL in the address bar, there is no solution to this. The solution for protecting the saved session file is FileVault, and locking your computer when you aren't sitting in front of it, which is exactly the same way you protect all the other vulnerable data in your user account.

      The root cause of the login credentials being revealed in plain text in bookmarks, the session file and the address bar is the deplorable practice of websites putting your login and password in the URL in plain text. The solution to this is to smack the websites upside the head until they modify their security practices.

  6. Massively overblown issue? by Alsee · · Score: 4, Insightful

    Encrypting the data certainly isn't a bad idea, but unless I'm missing something here, encrypting the data is nothing more than a lame case of security through obscurity. If the browser stores the data encrypted, then the browser also needs to store the KEY to re-open the file. If someone can get a hold of the file, then they can also get a hold of the key to decrypt that file.

    If there's a security problem here, it's the Restore Session functionality itself. Perhaps secure sessions shouldn't be restorable?

    -

    --
    - - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
  7. Re:Not in current version by Anonymous Coward · · Score: 5, Informative

    Summary is in present tense, but per the article, this applies only to older versions of Safari (6.0.5 on Lion and Mountain Lion.) The current version of Safari is 7 (on Mavericks) and 6.1 (on Lion and Mountain Lion.)

    And to be perfectly clear...the current versions, 6.1 and 7, do NOT have this issue.
    http://www.zdnet.com/safari-on-mac-os-exposes-web-login-credentials-7000024287/

    So the news is basically, "Older version of software has bug which is patched in current version."

  8. Re:First-world problems strike again! by NoNonAlphaCharsHere · · Score: 3, Funny

    We're talking about Macs. It's a first-world problem by definition.

  9. Information Loss? by craighansen · · Score: 2

    The rest of the summary would be consistent with labelling this as an "Information Leak" rather than "Information Loss." ...or perhaps the author meant a loss of security or privacy. Can I beg for summary writers and editors to try harder to get at least the first sentence clear and correct?

  10. Exasperated sigh by xfurious · · Score: 2

    All this article means is that Google has a bug to fix with regards to the post back response on the GMail login page.

    Some in this discussion say things like:

    along with the password and login.

    from the article: "the login and password are not encrypted (see the red oval in the screenshot).

    Let's be clear here. The only time that any browser's session restore feature would store your username and password is because it's part of the HTTP request itself. An HTTP request can be a GET or a POST. Good web developers never send sensitive information in a GET, nor should a GET actually _do_ anything other than get a resource. POST requests should be used for this instead, which do not convey the private information in the URL bar. Now, POST requests are not inherently more secure than GETs, and the data they pass is actually in the same format as the data in URL-based GET requests, and just as visible to observers on the network. I'm just getting some of the technical background set for all of the (clearly *very*) technical people who read Slashdot these days.

    The "problem" is that older versions of Safari stores the details of POST requests "unencrypted". Which is fine because any encryption is meaningless if decryption can be done without user intervention. You would not encrypt some file and then place the key next to it and then store it that way would you? Nonetheless, this is exactly what happens when the encryption key is stored on the same volume as the encrypted file. If it can be found by software then it can be found by an attacker.

    The really funny part is that this looks like the page Safari saved was a GMail login attempt which was unsuccessful (duh? the credentials are clearly not real). Google is doing authentication (almost) the right way here fellas, the only time that using GMail involves having your plaintext credentials in a POST request is during login and login alone. From there on out it's just record keeping (valid session list on the server, and a known session ID in the hands of each client).

    You can see this for yourself by opening up an Incognito session and going to gmail.com, and typing fake credentials (i don't know, "kaspersky_user" and "kaspersky_pass" come to mind for some reason), then on the "Invalid login" page, hit refresh. You will be prompted by your browser to resend the login credentials. There! You see that the browser _still has_ your login credentials from before! AMAZING! Did you know that if you leave that tab untouched for three days your creds will still be resent again when you finally refresh??

    Safari like any other browser with a restore session feature, saves that POST data. Because it's just POST data to the browser. And if you are sitting on a page that is itself the result of a POST request, the browser MUST save that data if it intends to give you the same page when you return... by both specification and convention. Google can fix this particular issue by redirecting their invalid logins back to GET requests like the rest of the civilized world. That protects their users account credentials from inadvertent storage on disk.

    The more interesting part is how someone would think that this would be immediately dangerous, because had the user successfully logged in, they would not have been sitting on that POST request would they! That's right the credentials would have long vanished and would never have made their way to disk. The only time this would happen in practicality is when the credentials were NOT correct. Don't get me wrong, that can still be valuable to an attacker, but its a Google bug not a Safari one anyway. Nonetheless in GMail's situation, this is a rare and definitely not reliably exploitable issue from the perspective of potential attackers.

    I cannot stress enough that credential leaks within a session backing file on a hard disk is only a problem when the site itself messes up or is written improperly and/or insecurely. And on the local side: If you d