Older Versions of Safari Store Login Info in Plain Text - MacRumorsOpen MenuShow RoundupsShow Forums menuVisit ForumsOpen Sidebar
Skip to Content

Older Versions of Safari Store Login Info in Plain Text

by

Older versions of Safari for Mac store unencrypted user login credentials in a plain text file, according to security firm Kaspersky (via ZDNet). Safari saves the information in order to restore a previous browsing session, reopening all sites, even those that require authentication using the browser's "Reopen All Windows from Last Session" functionality.

safari_loophole_01

Plist file screenshot showing login credentials from Kaspersky

It turns out that Safari for Mac OS, like many other contemporary browsers, can restore the previous browsing session. In other words, all the sites that were open in the previous session – even those that required authorization – can be restored in a few simple steps when the browser is launched. Convenient? Of course. Safe? No, unfortunately.

Safari 6.0.5 for OS X 10.8.5 and 10.7.5 does not encrypt previous sessions, storing them instead in a standard LastSession.plist file that includes website usernames and passwords. Though the file is located in a hidden folder, it is still easily accessible and can be opened on any system.

Apple fixed this issue in Safari 6.1, which was released alongside OS X 10.9 Mavericks. Mac users running Mavericks or those who have installed the Safari 6.1 update for OS X 10.8 Mountain Lion or OS X 10.7 Lion will not be affected. This problem is limited to users running Safari 6.0.5 and can be remedied by upgrading to the latest software.

Top Rated Comments

john.jansen Avatar
john.jansen
160 months ago
Thats totally misleading, firstly there is no point in encrypting data which can be seen in the browser address bar when the previous session is restored. Secondly, those are url params, sent in plain text over the wire. The problem with the example shown is not at the browser end, its the site at the other end which uses url params for auth over http not https.

Storm in a teacup anyone?
Score: 22 Votes (Like | Disagree)
B
batchtaster
160 months ago
Has nobody looked at Firefox's Saved Passwords feature? Literally the only security is a button labeled "Show Passwords". And it's been that way for years.

Score: 11 Votes (Like | Disagree)
O
osx11
160 months ago
Sometimes it amazes me how simple things like this go unnoticed for so long.
Score: 8 Votes (Like | Disagree)
C
cantona1995
160 months ago
Has nobody looked at Firefox's Saved Passwords feature? Literally the only security is a button labeled "Show Passwords". And it's been that way for years.

Image (http://cdn2.brunocunha.com/blog/wp-content/uploads/2013/08/firefox-passwords.png)

But you need to enter the Master Password to see them and the file that contains the passwords on the filesystem has its contents encrypted so not the same at all
Score: 5 Votes (Like | Disagree)
iSee Avatar
iSee
160 months ago
Thats totally misleading, firstly there is no point in encrypting data which can be seen in the browser address bar when the previous session is restored. Secondly, those are url params, sent in plain text over the wire. The problem with the example shown is not at the browser end, its the site at the other end which uses url params for auth over http not https.

Storm in a teacup anyone?

BOOM! You just sunk Kaspersky's battle ship.
Score: 4 Votes (Like | Disagree)
rboerdijk Avatar
rboerdijk
160 months ago
<sarcasm on>
If the password is visible in plaintext, it means the NSA will catch more terrorists. So this is basically a good thing.
</sarcasm off>
Score: 4 Votes (Like | Disagree)
Read All Comments

Popular Stories

iPhone 18 Pro Deep Red Feature

iPhone 18 Pro Launching Later This Year With These 12 New Features

Wednesday March 18, 2026 7:39 am PDT by
While the iPhone 18 Pro and iPhone 18 Pro Max are not expected to launch for another six months or so, there are already plenty of rumors about the devices. It was initially reported that the iPhone 18 Pro models would have fully under-screen Face ID, with only a front camera visible in the top-left corner of the screen. However, the latest rumors indicate that only one Face ID component...
Read Full Article78 comments
ios 26 4 yellow

Here Are Apple's Release Notes for iOS 26.4

Wednesday March 18, 2026 11:56 am PDT by
Apple provided developers and public beta testers with the release candidate versions of iOS 26.4 and iPadOS 26.4, which means we're going to see a public launch as soon as next week. The RC versions of the software include Apple's official release notes, giving us final details on what's included in the update. Apple Music - Playlist Playground (beta) generates a playlist from your...
Read Full Article104 comments
Apple Logo Sketch Feature

Apple Has Now Unveiled Eight New Products This Month

Tuesday March 17, 2026 9:25 am PDT by
Apple has unveiled a whopping eight new products so far this March, including an iPhone 17e, iPad Air models with the M4 chip, MacBook Air models with the M5 chip, MacBook Pro models with M5 Pro and M5 Max chips, the all-new MacBook Neo, an updated Studio Display, a higher-end Studio Display XDR, and now the AirPods Max 2 this week. iPhone 17e features the same overall design as the iPhone...
Read Full Article
Related Apple News: Culture | Opinion | Iphone | News | Motoring