View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
December 16, 2013

Kaspersky uncovers Safari data loss loophole

Apple has already been notified about the vulnerability.

By CBR Staff Writer

Kaspersky has exposed a security loophole in Apple’s Safari web browser.

The browser stores authentication credentials used in earlier web sessions in a plaintext XML file known as a property list, which it can refer to to restore web pages if the browser is closed.

The details remain unencrypted and are stored in a standard plist file that is accessible to anyone.

Kaspersky Lab Global Research and Analysis Team researcher Vyacheslav Zakorzhevsky said that the complete authorised session on the site is saved in the plist file in full view despite the use of https.

"The file itself is located in a hidden folder, but is available for anyone to read," Zakorzhevsky said. "We’re ready to bet that it won’t be long before it appears."

The firm has already notified Apple of the vulnerability.

Currently two versions of Apple’s operating systems are affected by the issue, including OSX10.8.5, Safari 6.0.5 (8536.30.1) and OSX10.7.5, Safari 6.0.5 (7536.30.1).

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

The security firm also added that the ‘Reopen All Windows from Last Session’ option found on the browser would open sites they had left in the earlier session.

"You can just imagine what would happen if cybercriminals or a malicious program got access to the LastSession.plist file on a system where the user logs in to Facebook, Twitter, LinkedIn or their online bank account," Zakorzhevsky added.

"As far as we are concerned, storing unencrypted confidential information with unrestricted access is a major security flaw that gives malicious users the opportunity to steal user data with a minimum of effort."

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.