Forgot your password?
Safari Security Apple

Safari Stores Previous Browsing Session Data Unencrypted 135

Posted by Soulskill
from the security-through-obscurity dept.
msm1267 writes "Users of Apple's Safari browser are at risk for information loss because of a feature common to most browsers that restores previous sessions. The problem with Safari is that it stores session information including authentication credentials used in previous HTTPS sessions in a plaintext XML file called a Property list, or plist, file. The plist files, a researcher with Kaspersky Lab's Global Research and Analysis Team said, are stored in a hidden folder, but hiding them in plain sight isn't much of a hurdle for a determined attacker. 'The complete authorized session on the site is saved in the plist file in full view despite the use of https,' said researcher Vyacheslav Zakorzhevsky on the Securelist blog. 'The file itself is located in a hidden folder, but is available for anyone to read.'"
This discussion has been archived. No new comments can be posted.

Safari Stores Previous Browsing Session Data Unencrypted

Comments Filter:
  • Hmmm .... (Score:5, Interesting)

    by gstoddart (321705) on Friday December 13, 2013 @04:33PM (#45683849) Homepage

    So, as far as I can tell, Safari doesn't actually block 3rd party cookies despite saying it does, and stores your credentials in plain text.

    Sounds like Apple have some issues on their hands.

    Hell, in my experience with Safari on Windows, deleting a cookie causes WebKit2WebProcess to crash.

A consultant is a person who borrows your watch, tells you what time it is, pockets the watch, and sends you a bill for it.