Apple + Security & Privacy

Robert Chapin of Chapin Information Services has analyzed how password managers work in a number of web browsers, and has found that Safari comes in tied for “last place”. Chapin tested Opera, Firefox, Internet Explorer, Safari and Google Chrome, and found that, while most of the browsers failed most of his tests, Safari only passed two of them. All told, this is a “toxic soup of potential vulnerabilities that can coalesce into broad insecurity.”

All modern browsers have password managers, that work alone or with other parts of the operating system to record user names and passwords, and enter these automatically in fields on web pages. (On Mac OS X, Safari works with Keychain Access to manage passwords securely.) Password managers should only send user names and passwords to forms on pages that match the domains on which they were recorded, and not send this information to other websites without informing users. Yet Chapin found that this is often not the case.

Among the problems are three in particular that, when combined, allow password thieves to take passwords without the user’s knowledge.
1. The destination where passwords are sent is not checked.
2. The location where passwords are requested is not checked.
3. Invisible form elements can trigger password management.

While Chapin analyzed Windows browsers, we ran a series of tests of the current version of Safari for Mac OS X (3.2.1) using Chapin’s Password Manager Evaluator. We obtained the exact same results for Safari for Mac OS X as he reports for the Windows version.

What users should do is be very careful about allowing Safari to enter a user name and password automatically if they are on a site that seems unfamiliar. As Macworld reports, hackers did this with “a fake password entry form on a MySpace page. Because both the fake and real login forms were on the myspace.com domain, browsers like Firefox could be tricked into automatically sending login information to the fraudsters.” It seems that Safari is vulnerable to this strategy as well. While using a password manager is practical and saves time – and allows users to create unique passwords for different sites without needing to remember them – it is clear from this study that such a practice is fraught with danger.