Closed Bug 394106 Opened 17 years ago Closed 17 years ago

CGEvent taps on Macintosh OS X can steal HTML form passwords.

Categories

(Camino Graveyard :: Security, defect)

Product:
Camino Graveyard
Component:
Security
Platform:
PowerPC
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
VERIFIED DUPLICATE of bug 394107

People

(Reporter: zillaster, Assigned: dveditz)

Details

(Whiteboard: [sg:dupe 394107]) 

User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en) AppleWebKit/522.11.1 (KHTML, like Gecko) Version/3.0.3 Safari/522.12.1
Build Identifier: Version 2007080914 (1.5.1)

On Macintosh OS X 10.3 and later, any application can create an Event Tap to capture events as they are sent to the HID system (input devices). In this case, all events sent by all input devices to every process will be intercepted by the tap. Apple realized this could be a major security problem and implemented a way for processes to disallow events to password fields to be intercepted. See:
http://developer.apple.com/technotes/tn2007/tn2150.html

The gist of the tech note is for developers to call EnableSecureEventInput when the user types into a password text field (or other sensitive information). Cocoa developers get this behavior for free when using a Cocoa NSSecureTextField.

Problem:
Camino doesn't seem to be using either of the above schemes to protect HTML password entry form text input fields. I was able to write an event recording using CGEvent Taps and could record password text typed into a password HTML form text entry field.
This means Firefox is vulnerable to key loggers that are very easy to write. I was able to create a proof of concept in less than a few hours.

THIS HAS TO BE REGARDED AS A TOP-PRIORITY SECURITY BREACH!


Reproducible: Always

Steps to Reproduce:
I can supply a test application to demonstrate this security vulnerability. Please email me at bugzilla@elasmobranch.com
Actual Results:  
Text typed into a password entry field in an HTML form is captured by a CG Event tap.

Expected Results:  
Key down/up events typed into password fields are not sent to the event tap.

Please contact me about getting my test application if would like to reproduce this bug.
bugzilla@elasmobranch.com

FYI, this bug also affects Firefox 2.0.0.6.
Bug 394107 is the Firefox bug on this.
Josh says bug 394107 will fix this for Camino as well. Duping to that bug.
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
(Also, keeping this as security-sensitive since it contains the same information as 394107. This bug should be opened when that one is.)
Adding sg:dupe whiteboard information to help track when to open this one.
Whiteboard: [sg:dupe 394107]
Status: RESOLVED → VERIFIED
Group: core-security
You need to log in before you can comment on or make changes to this bug.