If I'm reading this correctly, there has to be a malicious user at the console of a logged in computer (or connected in some other authenticated way). If I have a malicious user at my console logged in as me, I've got more problems than web form passwords being revealed. Am I reading this incorrectly? > Apple Safari on Macosx may reveal user's saved passwords. A local user with > legitimate access to the system is able to steal keychained password by injecting > javascripts into a loaded webpage via applescript. > It seems that safari fails to validate the source of injected code, however apple > belives this is the correct behaviour so no fixes will be made available.
