Forgot your password?
typodupeerror
Safari Security Apple

Safari Stores Previous Browsing Session Data Unencrypted 135

Posted by Soulskill
from the security-through-obscurity dept.
msm1267 writes "Users of Apple's Safari browser are at risk for information loss because of a feature common to most browsers that restores previous sessions. The problem with Safari is that it stores session information including authentication credentials used in previous HTTPS sessions in a plaintext XML file called a Property list, or plist, file. The plist files, a researcher with Kaspersky Lab's Global Research and Analysis Team said, are stored in a hidden folder, but hiding them in plain sight isn't much of a hurdle for a determined attacker. 'The complete authorized session on the site is saved in the plist file in full view despite the use of https,' said researcher Vyacheslav Zakorzhevsky on the Securelist blog. 'The file itself is located in a hidden folder, but is available for anyone to read.'"
This discussion has been archived. No new comments can be posted.

Safari Stores Previous Browsing Session Data Unencrypted

Comments Filter:
  • Re:Local file (Score:5, Insightful)

    by Anonymous Coward on Friday December 13, 2013 @04:32PM (#45683843)

    And here we go again: someone claims that "if something is not completely perfect, it's completely useless".

    Look, even if someone gets local access to your files, you are still less fucked if some of them are encrypted.

  • Re:Local file (Score:2, Insightful)

    by Anonymous Coward on Friday December 13, 2013 @04:34PM (#45683859)

    Physical access = surfing history is the least of your problems.

  • Why the surprise? (Score:5, Insightful)

    by QuietLagoon (813062) on Friday December 13, 2013 @04:35PM (#45683869)

    ...'The complete authorized session on the site is saved in the plist file in full view despite the use of https...

    HTTPS only ensures security between the browser and the web server. HTTPS is not designed to ensure security of what the browser decides to store locally.

  • by Alsee (515537) on Friday December 13, 2013 @04:47PM (#45683985) Homepage

    Encrypting the data certainly isn't a bad idea, but unless I'm missing something here, encrypting the data is nothing more than a lame case of security through obscurity. If the browser stores the data encrypted, then the browser also needs to store the KEY to re-open the file. If someone can get a hold of the file, then they can also get a hold of the key to decrypt that file.

    If there's a security problem here, it's the Restore Session functionality itself. Perhaps secure sessions shouldn't be restorable?

    -

  • Re:Local file (Score:2, Insightful)

    by Anonymous Coward on Friday December 13, 2013 @05:38PM (#45684449)

    Defense in depth. Is that really so hard for people to understand?

  • Re:Local file (Score:4, Insightful)

    by Bert64 (520050) <bert@slash d o t . f i renzee.com> on Friday December 13, 2013 @06:34PM (#45685011) Homepage

    Which means you need to enter your key every time you start the browser...
    If the browser has a way of automatically knowing the decryption key, then so does a hacker.

    Also, previous session data should be useless - the sessions should have expired, or been closed when you logged out. Most sites that offer the option to stay logged in warn you against doing so on a system you don't trust.

    And i'm pretty sure other browsers don't store persistent cookies very securely either, they used to be in a plain text file and they can certainly be viewed/user from within most browsers without having to ever supply a decryption key.

One man's "magic" is another man's engineering. "Supernatural" is a null word. -- Robert Heinlein

Working...