On 5/14/07, Lucas, Mark J. <mjlucas@xxxxxxxxxxx> wrote:
If I'm reading this correctly, there has to be a malicious user at the console of a logged in computer (or connected in some other authenticated way). If I have a malicious user at my console logged in as me, I've got more problems than web form passwords being revealed. Am I reading this incorrectly?
No, you're right. Part of the point is that Safari is reading these passwords from Keychain. And the whole point of Keychain is preventing unauthorized programs from getting at the datastore. If a rogue program asked for these passwords directly, then Keychain would present a dialog alerting the user. But as the applescript shows, the program can get Safari to essentially act on its behalf.
