New (local) Mac OS X vulnerability : Passwords in Swap files

Email.Email weblog link
Blog this.Blog this
Nitesh Dhanjani

Nitesh Dhanjani
Jun. 27, 2004 07:37 PM

Atom feed for this author. RSS 1.0 feed for this author. RSS 2.0 feed for this author.


Came across this posting on BugTraq. Apparently, swap files in Mac OS X (as of 10.3.4) contain user passwords in clear text.

Run the following on your Mac OS X box to see if you can find your passwords stored in clear text:
sudo strings -8 /var/vm/swapfile0 |grep -A 4 -i longname

At first, this 'vulnerability' may not seem like such a big deal. After all, the swap files are only readable by root. However, a system administrator should not have it so easy if he or she would want to obtain user passwords. Passwords should never be stored in clear text _anywhere_. A malicious trojan with root privileges can now steal user password in clear text, and many users use same passwords for other accounts, so this is a big deal. In addition, Keychain passwords are also apparently stored in clear text within the swap files (I haven't tested this). I hope Apple fixes this soon!

Nitesh Dhanjani is a well known security researcher, author, and speaker. Dhanjani has been invited to talk at various information security events such as the Black Hat Briefings, RSA, Hack in the Box, Microsoft Blue Hat, and OSCON.