Users of Apple’s Safari browser are at risk for information loss because of a feature common to most browsers that restores previous sessions.
The problem with Safari is that it stores session information including authentication credentials used in previous HTTPS sessions in a plaintext XML file called a Property list, or plist, file.
The plist files, a researcher with Kaspersky Lab’s Global Research and Analysis Team said, are stored in a hidden folder, but hiding them in plain sight isn’t much of a hurdle for a determined attacker.
“The complete authorized session on the site is saved in the plist file in full view despite the use of https,” said researcher Vyacheslav Zakorzhevsky on the Securelist blog. “The file itself is located in a hidden folder, but is available for anyone to read.”
Zakorzhevsky said Kaspersky Lab has notified Apple of the vulnerability; he added that he is unaware of any active exploits targeting the information stored in a plist file.
“We’re ready to bet that it won’t be long before it appears,” Zakorzhevsky said.
Hackers have made short work of browser vulnerabilities for years in order to hijack sessions and steal data sent through the browser. An attacker who builds code to land on a victim’s browser and restore a previous session would have unobstructed access to anything the user was doing at the time, including social networking, online banking or any other potentially sensitive transaction.
“The system can easily open a plist file,” Zakorzhevsky said. “It stores information about the saved session—including http requests encrypted using a simple Base64 encoding algorithm—in a structured format.”
Zakorzhevsky said the Reopen All Windows from Last Session, which can be found in the dropdown menu from the History tab on Safari, will open sites exactly as the user left them in the previous session. They are stored in a plist filed called LastSession.plist, Zakorzhevsky said.
Zakorzhevsky added that Mac OS X 10.8.5 and 10.7.5 support Safari 6.0.5, which hosts the functionality.
“You can just imagine what would happen if cybercriminals or a malicious program got access to the LastSession.plist file on a system where the user logs in to Facebook, Twitter, LinkedIn or their online bank account,” Zakorzhevsky said. “As far as we are concerned, storing unencrypted confidential information with unrestricted access is a major security flaw that gives malicious users the opportunity to steal user data with a minimum of effort.”
