Closed
Bug 394106
Opened 17 years ago
Closed 17 years ago
CGEvent taps on Macintosh OS X can steal HTML form passwords.
Categories
(Camino Graveyard :: Security, defect)
Tracking
(Not tracked)
VERIFIED
DUPLICATE
of bug 394107
People
(Reporter: zillaster, Assigned: dveditz)
Details
(Whiteboard: [sg:dupe 394107])
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en) AppleWebKit/522.11.1 (KHTML, like Gecko) Version/3.0.3 Safari/522.12.1 Build Identifier: Version 2007080914 (1.5.1) On Macintosh OS X 10.3 and later, any application can create an Event Tap to capture events as they are sent to the HID system (input devices). In this case, all events sent by all input devices to every process will be intercepted by the tap. Apple realized this could be a major security problem and implemented a way for processes to disallow events to password fields to be intercepted. See: http://developer.apple.com/technotes/tn2007/tn2150.html The gist of the tech note is for developers to call EnableSecureEventInput when the user types into a password text field (or other sensitive information). Cocoa developers get this behavior for free when using a Cocoa NSSecureTextField. Problem: Camino doesn't seem to be using either of the above schemes to protect HTML password entry form text input fields. I was able to write an event recording using CGEvent Taps and could record password text typed into a password HTML form text entry field. This means Firefox is vulnerable to key loggers that are very easy to write. I was able to create a proof of concept in less than a few hours. THIS HAS TO BE REGARDED AS A TOP-PRIORITY SECURITY BREACH! Reproducible: Always Steps to Reproduce: I can supply a test application to demonstrate this security vulnerability. Please email me at bugzilla@elasmobranch.com Actual Results: Text typed into a password entry field in an HTML form is captured by a CG Event tap. Expected Results: Key down/up events typed into password fields are not sent to the event tap. Please contact me about getting my test application if would like to reproduce this bug. bugzilla@elasmobranch.com FYI, this bug also affects Firefox 2.0.0.6.
Comment 1•17 years ago
|
||
Bug 394107 is the Firefox bug on this.
Comment 2•17 years ago
|
||
Josh says bug 394107 will fix this for Camino as well. Duping to that bug.
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
Comment 3•17 years ago
|
||
(Also, keeping this as security-sensitive since it contains the same information as 394107. This bug should be opened when that one is.)
Assignee | ||
Comment 4•17 years ago
|
||
Adding sg:dupe whiteboard information to help track when to open this one.
Whiteboard: [sg:dupe 394107]
Updated•17 years ago
|
Status: RESOLVED → VERIFIED
Assignee | ||
Updated•15 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•