Major security bug in Safari allowing preview of saved passwords without any protection at all.

ton4o_1ton4o_1
Posted:
in Mac Software
Safari saved passwords preview is protected but this can be prevented and worst case is if you have autocomplete on - just open web inspector and change input type="password" to input type="text" the content of the input is revealed . The input HAS to empty itself on type change thus keeping the data safe. Already told [email protected] but no response received. Hopefully this will be fixed soon.

Comments

  • Reply 1 of 1
    MarvinMarvin Posts: 15,322moderator
    ton4o_1 said:
    Safari saved passwords preview is protected but this can be prevented and worst case is if you have autocomplete on - just open web inspector and change input type="password" to input type="text" the content of the input is revealed . The input HAS to empty itself on type change thus keeping the data safe. Already told [email protected] but no response received. Hopefully this will be fixed soon.
    Emptying the field on type change wouldn't make much of a difference, you can read the contents of any password field with the Javascript console. Go to any site with a password field e.g GMail and fill it in either manually or with autofill. Then right-click the field and click Inspect Element. At the bottom of the inspector is the interactive Javascript console. Just type in:

    var pass = document.querySelector('input[type=password]'); pass.value;

    It will print out the value of the password field. Password fields hold the value in plain text, the visual dots are just to prevent other people seeing what's being typed in.

    With autofill, someone with access to your computer could see your passwords and this may allow them to access more than the autofill sites. This isn't really preventable unless they break Javascript's access to the password field but this would break some password submissions, especially Ajax requests. The autofill has to fill in the fields directly and these are held client-side and sent in plaintext. Browsers would have to switch to using a hash system for the password fields to avoid this.

    That's not to say emptying the password field isn't worth doing, the fewer options the better but it's neither a major security bug nor the solution to it. If people don't want anyone accessing their passwords, the password storage feature has to be turned off.

    Really we should be moving away from remote passwords entirely to using encryption keys and only use passwords locally. I don't know why the major services haven't done it yet.
    ton4o_1
Sign In or Register to comment.