[Developers] SECURITY: trivial reveal of stored passwords
Eric Warnke
ericew at gmail.com
Wed Aug 22 01:18:57 CEST 2007
On 8/21/07, Daniel M. Zimmerman <dmz+lists at tffenterprises.com> wrote:
> Of course, if you do this, it pretty much eliminates all the convenience of
> using SSHKeychain. Was this bug present in pre-0.8 versions? (e.g., could
> one simply revert to an old version rather than purging the keychain?)
>
> -Dan
I can't be positive, but the bug has probably been there since the
beginning. MacFusion has an almost identical bug. Root actually
can't exploit this bug unless they too are running as the user. But
any application could silently pull all stored passwords.
-Eric
More information about the developers
mailing list