Mac OS X flaw reveals passwords - bit-tech.net Forums

CardJoe · 29th Feb 2008, 08:52

http://www.bit-tech.net/news/2008/02...ls_passwords/1

A security researcher and Mac fan has discovered that the latest Apple operating system keeps plain-text copies of user passwords in RAM with no security at all.

cjoyce1980 · 29th Feb 2008, 09:04

If this was a Microsoft flaw it would be front page news, but as its apple its no biggie.

I sure now that this bug is known there will be malware/spyware coders trying to exploit this, I would

Leitchy · 29th Feb 2008, 09:22

There playing it down because you need physical access to the mac itself. Not a problem then move on.... :/

Paradigm Shifter · 29th Feb 2008, 11:13

Yes, but now that it's public, it's a race between Apple to fix the hole and malware developers to come up with a way to exploit it remotely...

Bluephoenix · 29th Feb 2008, 13:17

pretty serious flaw, and at least apple has said something rather than taking their "we don't discuss things like this, we pretend they don't exist" position.

on the subject of macs in general:

r4tch3t · 29th Feb 2008, 21:41

lol nice pic.
Then again there is that hack for access to an encrypted hard disk and the computer only needs to be logged in, regardless if its locked or not. But again physical access is the key.

johnmustrule · 1st Mar 2008, 04:08

well today's news was interesting... guess I'll busy my self with a couple video games on my windows machine.... Wuhahaha!

nakchak · 1st Mar 2008, 18:51

0wn a mac:

get pleb to download a p2p client

use p2p client as host for malware, do a memory scan for the data, return memory scan as a header during file transfer

at attackers end log all received info, ip passwords etc.
use a script to SSH back to the box with root access

voila your Pwned!!! and spamming at an ungodly rate

seriously hope apple get 0wned, cus they are no better if not worse than m$ when it comes to issuing fixes
nm the fact it will shut the fan boys up in lala land, about macs being inherintly secure, there not its just more profitable to go after the majority than the minorities

Da Dego · 1st Mar 2008, 23:25

Umm, I guess I'm confused - with physical access to a windows machine, you can reboot in linux and get every password in plain text. Why is it that when it's mac, physical access is suddenly unimportant and we should burn Steve-o in effigy?

Physical access to a logged in system == insecure. Period. That goes for Windows, Mac, and Nix. Honestly now, must we turn this to a mac/windows debate?

Fozzy · 2nd Mar 2008, 05:24

Here's a scenario for you.

You bring your laptop to work and leave it unattended while you take a coffee break. 15 minutes would be just enough time for an employee to access your passwords. What does this mean? Oh nothing, unless you've recently been to paypal, ebay, online stores, did your taxes (SSN), hotmail...the list goes on and on for what any theif clever enough to hack the mac in the first place would be looking for.

Amon · 2nd Mar 2008, 05:48

Quote:

Originally Posted by Da Dego

Physical access to a logged in system == insecure. Period.

Pretty much what I had in mind, as well.

rhuitron · 2nd Mar 2008, 09:00

HA!!!!

The fish dies by it's own mouth!

Like other have said, If this was Windows, here. We'd all be shitting our pants.
I'd like to quote something that Apple Phag's ALWAYS SAY!
"We don't get viruses or Malware!"
But you do now!

What happened to superiority of the apple brand???

Jobs: "No, it's a feature. Honest. It's insanely great. You'll never forget your passwords again."
^ loving that!

Matticus · 2nd Mar 2008, 22:46

Its right that if you get physical access to a PC no matter what OS is running, your basically in, but the physically access may be only in a limited window, i.e. people going out to lunch or coffee break. So not really that much time to work your magic, atleast not if you dont work well under pressure.

But say they leave it logged in for 2 minutes while they are out of the room you have got enough time to get thier password and then come back at your leisure to get whatever information you want.

Its right that if this was microsoft it would be all over the place, maybe not just on computer related websites, but because its apple its played down, when in all honesty its pretty serious.

29th Feb 2008, 08:52	#1
CardJoe Player Character bit-tech Staff Join Date: Apr 2007 Posts: 7,940	Mac OS X flaw reveals passwords http://www.bit-tech.net/news/2008/02...ls_passwords/1 A security researcher and Mac fan has discovered that the latest Apple operating system keeps plain-text copies of user passwords in RAM with no security at all. __________________ this is joe's non-bit-tech blog

29th Feb 2008, 11:13	#4
Paradigm Shifter Lethargic Join Date: May 2006 Posts: 1,210	Yes, but now that it's public, it's a race between Apple to fix the hole and malware developers to come up with a way to exploit it remotely... __________________ Core i7 920 D0 @ 3.8GHz \| 6GB Corsair 1600MHz \| Gigabyte EX58-UD5 \| XFX 4870X2 2GB \| 4TB \| WUXGA

29th Feb 2008, 21:41	#6
r4tch3t hmmmm.... Join Date: Aug 2005 Location: New Zealand Posts: 2,882	lol nice pic. Then again there is that hack for access to an encrypted hard disk and the computer only needs to be logged in, regardless if its locked or not. But again physical access is the key. __________________ Fight my Brute The quantum limit of reality might be scaled up because we're all holograms. Obviously. Once more we see that sufficiently advanced physics is indistinguishable from getting really stoned. From here

1st Mar 2008, 04:08	#7
johnmustrule Supermodder Join Date: Jan 2006 Posts: 345	well today's news was interesting... guess I'll busy my self with a couple video games on my windows machine.... Wuhahaha! __________________ "Your belief, unfortunately, is no endorsement of truth"

1st Mar 2008, 23:25	#9
Da Dego Brett Thomas Join Date: Aug 2004 Location: Cleveland, OH USA Posts: 3,906	Umm, I guess I'm confused - with physical access to a windows machine, you can reboot in linux and get every password in plain text. Why is it that when it's mac, physical access is suddenly unimportant and we should burn Steve-o in effigy? Physical access to a logged in system == insecure. Period. That goes for Windows, Mac, and Nix. Honestly now, must we turn this to a mac/windows debate? __________________ "Frankly that seems overkill. iluvtrees2 arguing with spec is the intellectual equivalent of a bunny rabbit taking on a pissed-off lion." - Nexxo

29th Feb 2008, 09:04	#2
cjoyce1980 Supermodder Join Date: Jul 2007 Location: UK Posts: 343	If this was a Microsoft flaw it would be front page news, but as its apple its no biggie. I sure now that this bug is known there will be malware/spyware coders trying to exploit this, I would

29th Feb 2008, 09:22	#3
Leitchy Supermodder Join Date: Oct 2004 Location: Scotland Posts: 255	There playing it down because you need physical access to the mac itself. Not a problem then move on.... :/

29th Feb 2008, 13:17	#5
Bluephoenix Spoon? What spoon? Join Date: Dec 2006 Location: Daytona Beach, FL Posts: 936	pretty serious flaw, and at least apple has said something rather than taking their "we don't discuss things like this, we pretend they don't exist" position. on the subject of macs in general:

1st Mar 2008, 18:51	#8
nakchak Minimodder Join Date: Mar 2005 Posts: 20	0wn a mac: get pleb to download a p2p client use p2p client as host for malware, do a memory scan for the data, return memory scan as a header during file transfer at attackers end log all received info, ip passwords etc. use a script to SSH back to the box with root access voila your Pwned!!! and spamming at an ungodly rate seriously hope apple get 0wned, cus they are no better if not worse than m$ when it comes to issuing fixes nm the fact it will shut the fan boys up in lala land, about macs being inherintly secure, there not its just more profitable to go after the majority than the minorities

2nd Mar 2008, 05:24	#10
Fozzy Ultramodder Join Date: Jan 2005 Location: Olympia, WA Posts: 1,386	Here's a scenario for you. You bring your laptop to work and leave it unattended while you take a coffee break. 15 minutes would be just enough time for an employee to access your passwords. What does this mean? Oh nothing, unless you've recently been to paypal, ebay, online stores, did your taxes (SSN), hotmail...the list goes on and on for what any theif clever enough to hack the mac in the first place would be looking for. __________________ Sponsors: http://www.koolance.com/images/homeimage01.jpg http://www.dangerden.com/templates/r...eader-wide.jpg http://i233.photobucket.com/albums/e...age00001-2.jpg

2nd Mar 2008, 09:00	#12
rhuitron Bump? What Bump? Join Date: Aug 2006 Location: Northern California, Usa Posts: 122	HA!!!! The fish dies by it's own mouth! Like other have said, If this was Windows, here. We'd all be shitting our pants. I'd like to quote something that Apple Phag's ALWAYS SAY! "We don't get viruses or Malware!" But you do now! What happened to superiority of the apple brand??? Jobs: "No, it's a feature. Honest. It's insanely great. You'll never forget your passwords again." ^ loving that! __________________ You use an Apple?? Go play in traffic.

2nd Mar 2008, 22:46	#13
Matticus Do me a favour, plug me into a Sega Join Date: Feb 2008 Location: Peterborough Posts: 1,396	Its right that if you get physical access to a PC no matter what OS is running, your basically in, but the physically access may be only in a limited window, i.e. people going out to lunch or coffee break. So not really that much time to work your magic, atleast not if you dont work well under pressure. But say they leave it logged in for 2 minutes while they are out of the room you have got enough time to get thier password and then come back at your leisure to get whatever information you want. Its right that if this was microsoft it would be all over the place, maybe not just on computer related websites, but because its apple its played down, when in all honesty its pretty serious. __________________ \|\|\|E8200@3.4ghz\|\|\|GA-P35-DS3L\|\|\|4GB OCZ/Corsair DDR2 800\|\|\|8800GT 512mb\|\|\|VX450w\|\|\|Under Water\|\|\|