• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Authenticating without UI
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Authenticating without UI

  • Subject: Re: Authenticating without UI
  • From: OL&L Lists <email@hidden>
  • Date: Fri, 25 Jun 2004 16:58:38 -0700
OK I agree with your point but..... even in that case the malicious code at some point has to perform a privileged operation which, even if i has the password will *still* trigger the *real* dialog.

I think the original question was not how to fake a Security Server dialog, but rather how to use alternate password dialogs for legit reasons instead of the Security Server's dialog - which is still not possible due to the fact that the 'legit' password dialog is controlled by and presented to the user by the Security Server itself.

Michael
Orbital Launch & Lift, Inc.
http://www,orbitallaunch.com

At 1:36 PM -0700 6/22/04, Dave Rehring wrote:
On 6/22/04 2:47 AM, OL&L Lists at email@hidden wrote:

Wrong again folks! The reason to use the 'real' password dialog is
because the real password dialog gets presented to the user by the
Security Server - the part of the OS that actually
handles/allows/disallows user authentication. Bypassing it is not a
good idea!

Michael
Orbital Launch & Lift, Inc.
http://www.orbitallaunch.com


Yes, but that's not the point. An unethical application can put up a dialog
that appears/functions exactly the same as the real dialog, and most users
would not have any reasonable way to determine that their password is being
hijacked.

Heck, I'm not even sure if/how the real dialog protects itself from
InputManager's, other than hoping the user has only installed 'nice' ones.

Later,
--
David Rehring Psychos do not explode when light hits
VP of Research and Development them, no matter how crazy they are...
Atimi Software, Inc.
www.atimi.com And totally insane guy!
_______________________________________________
cocoa-dev mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/cocoa-dev
Do not post admin requests to the list. They will be ignored.
_______________________________________________
cocoa-dev mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/cocoa-dev
Do not post admin requests to the list. They will be ignored.

References: 
 >Re: Authenticating without UI (From: Dave Rehring <email@hidden>)

  • Prev by Date: Re: Authenticating without UI
  • Next by Date: simple printing question
  • Previous by thread: Re: Authenticating without UI
  • Next by thread: Re: Authenticating without UI
  • Index(es):
    • Date
    • Thread