msm1267 writes “Users of Apple’s Safari browser are at risk for information loss because of a feature common to most browsers that restores previous sessions. The problem with Safari is that it stores session information including authentication credentials used in previous HTTPS sessions in a plaintext XML file called a Property list, or plist, file. The plist files, a researcher with Kaspersky Lab’s Global Research and Analysis Team said, are stored in a hidden folder, but hiding them in plain sight isn’t much of a hurdle for a determined attacker. ‘The complete authorized session on the site is saved in the plist file in full view despite the use of https, ‘ said researcher Vyacheslav Zakorzhevsky on the Securelist blog. ‘The file itself is located in a hidden folder, but is available for anyone to read.'” Read more of this story at Slashdot.
Safari Stores Previous Browsing Session Data Unencrypted