Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Apple Bacon Butter
Apple Bacon Butter Author
User level: Level 1
0 points

Safari 5.1 Security Issue?

Just noticed that when using the two-finger swipe gesture to go Back in Safari, the cached image of the webpage you're going back to displays briefly before the browser attempts to refresh it. This gives a a very slick/immediate look to the interface, but temporarily reveals whatever info was displayed on that page.


So, for example, if you had just been on your banks site viewing your account info, and then clicked on the logout button and left the computer sitting there, the next person to come by could simply gesture Back and screenshot the cached web page with whatever info was on it. This behavior completely circumvents the auto-logout/timeout in use by most banks and other sites displaying sensitive information.


Preemptively:


1. Yes, you could avoid this problem by always closing the browser window when you're finished.


2. Yes, this seems to only be a problem on machines using gestures (laptops, desktops w/ magic trackpads).


But it seems like once an unscrupulous character discovered this flaw, it would quickly be expolited. Thoughts?

Posted on Jul 7, 2012 12:38 PM

Reply
7 replies
User profile for user: Carolyn Samit
Carolyn Samit
User level: Level 10
165,615 points

Jul 7, 2012 12:48 PM in response to Apple Bacon Butter

, the next person to come by could simply gesture Back and screenshot the cached web page with whatever info was on it.

If there are multiple users on your Mac, setup individual accounts with their own login name and password.


That way not only are your banking credentials safe but any other sensitive data also.


BTW, in case you are not aware, on a banking site, if you are setting up a payment schedule, never go back to the previous page. That can resullt in duplicate payments. That's true with any browser and most banking institutions provide that warniing on their stie.

Reply
User profile for user: Apple Bacon Butter
Apple Bacon Butter Author
User level: Level 1
0 points

Jul 7, 2012 1:30 PM in response to Carolyn Samit

Hi Carolyn,


Thanks for the response, but my reason for posting is not to find a secure workaround or best practice for myself. It is to reveal a potentially serious security flaw in the design that could affect a very large percentage of users, given the way most folks use their machines.


Your suggestion to create multiple user accounts, while handy in multiple-user households, is not immediately relevant to this issue, as this problem affects even those machines with singer users/owners. Further, I never mentioned anything specifically about payment schedules, or online payments in general. Your advice about not using the Back button when processing online payments is correct, but not relevant here. This issue could affect any user viewing sensitive info of any kind.


Most users do not bother closing windows every time they get up, much less log out of their user account. Someone with sinister intentions could swipe Back, screenshot, and copy the image to a flashdrive in about 10 seconds, before the owner returns and even realizes what has happened.

Reply
User profile for user: Apple Bacon Butter
Apple Bacon Butter Author
User level: Level 1
0 points

Jul 7, 2012 2:12 PM in response to Linc Davis

Linc Davis wrote:


It's not a security flaw. Anyone who can access your account has all your data, including your browsing history, your bookmarks, and your saved passwords. That's the intended behavior. The countermeasures provided are screen locking and encryption. If you don't use those countermeasures, your data is unsafe.

On the contrary, this is indeed a security flaw. It is not a failure of the technology, but rather of the design.


Access to "browsing history" is not a big deal. It may be a privacy concern, but no web content is contained there. Bookmarks are the same deal, just links. And most folks likely do not use an autofil password for their banking information (and even if you did, you'd have to go out of your way to enable that). My bank (and every other that I've seen) does not provide the ability through their site to autofill passwords or keep you logged in. In fact, most log you out after a given time.


"Encryption", as you suggest, doesn't solve the problem, as this is not an issue of data interception between client and host. And "screen locking" is not enabled by default. In fact, even if it was, you'd still have to manually lock the screen each time you got up to be safe, as the auto locking wouldn't kick in for a few minutes.




Ok guys, before anyone else wastes their time explaining to me the thousands of different ways to work around this issue, let me clarify the point here:


Good security practices should include measures and systems that are "fail-secure", by default. In other words, if a website has measures to automatically log you out upon timeout for security reasons, the browser should not permit an easily and quickly accessible means of circumventing that security feature and displaying your recently accessed data.


In other words, when your grandma sits down to view her banking info, and she logs out of her bank site when she's finished (thinking she has now securly logged off), it shouldn't be possible for someone to slip up behind her and capture the last displayed (sensitive) data within 10 seconds.


Suggestions requiring further knowledge or preemptive (and less-than-obvious) steps by all end users to prevent this are not reasonable, or a practical solution.

Reply

Safari 5.1 Security Issue?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up