Loophole in Safari
In our search for various types of malicious code for Mac we recently came across a rather interesting peculiarity in Safari. It turns out that Safari for Mac OS, like many other contemporary browsers, can restore the previous browsing session. In other words, all the sites that were open in the previous session – even those that required authorization – can be restored in a few simple steps when the browser is launched. Convenient? Of course. Safe? No, unfortunately.
So that the browser knows what was open at the end of the previous session, the relevant information needs to be stored somewhere. Obviously, that needs to be somewhere that isn’t easily accessible to just anybody, and the information definitely needs to be encrypted.
Safari, however, doesn’t encrypt previous sessions and stores them in a standard plist file that is freely accessible. As a result, it’s easy to find a user’s login credentials:
It’s pretty clear that the login and password are not encrypted (see the red oval in the screenshot).