Jan
13
2009
Security hole in Safari RSS
Brian Mastenbrook has discovered a really bad security hole in Safari RSS:
I have discovered that Apple’s Safari browser is vulnerable to an attack that allows a malicious web site to read files on a user’s hard drive without user intervention. This can be used to gain access to sensitive information stored on the user’s computer, such as emails, passwords, or cookies that could be used to gain access to the user’s accounts on some web sites. The vulnerability has been acknowledged by Apple.
All users of Mac OS X 10.5 Leopard who have not who have not performed the workaround steps listed below are affected, regardless of whether they use any RSS feeds. Users of previous versions of Mac OS X are not affected.
He hasn’t released details yet, presumably to give Apple time to release a patch, so I don’t know what the bug is. But it’s my fault, since I either wrote the bad code myself, or at least didn’t notice a mistake a co-worker made. And since I’m not at Apple anymore I can’t help fix it.
Shit. I’m sorry, everyone.
January 13th, 2009 at 8:08 PM
Don’t beat yourself up. Even if it turns out to be something vaguely “your fault,” it’s impossible for any person to live up to a perfect standard, especially when the nuances of what makes something insecure can be hard to predict up front. There’s a reason companies like Apple and Microsoft have teams dedicated to evaluating and solving security problems. Mistakes like this are inevitable and completely expected.
January 13th, 2009 at 9:57 PM
It wouldn’t surprise me too much if it was just yet another javascript/XSS bug. Those are always popping up and it could really be due to something which showed up in Safari/WebKit later on.
One thing I never really liked too much about the Safari RSS model (which we’ve discussed in the past) is how it acts more like an XML→HTML translation frontend (what with its silly feed:// hack and obscuring the feed’s source, making XML-problem debugging that much more impossible) instead of an alternate markup/layout handler (like what Firefox apparently does), but it also means that it’s possible that the problem is in WebKit itself, unless it’s something particularly fiddly with how Safari RSS handles its “read items” storage or something (I must admit I haven’t really used Safari RSS that much, having always just preferred server-side aggregation such as FeedOnFeeds or, later on, Google Reader).
January 14th, 2009 at 12:52 AM
Shit happens, man. Don’t sweat the petty things and don’t pet the sweaty things.
January 14th, 2009 at 10:57 AM
Here’s what I say: Thanks for Safari RSS!
January 14th, 2009 at 12:27 PM
I wouldn’t call it a petty thing. But considering how talented Jens is, it shows just how hard it is to write bulletproof code.
March 6th, 2009 at 2:43 PM
Hey, if they REALLY want to look at pie recipes, family vaca. photos and our family budget (sniff), be my guest. Maybe they’ll have good ideas to tweak my recipes!
March 6th, 2009 at 2:45 PM
However, if you’re one of the few people who actually uses a Mac at work, this is something to be concerned about. It’s not a good idea to be cavalier about information security just because you don’t see your information as needing security.
Also, they could theoretically grab things like, say, swap files, or cookie files, or whatever, and use that to do all sorts of fun damage that way. And if you have a weak password on your OSX Keychain and you use auto-login functionality, suddenly they have your website passwords. Oops.