Re: Application Security...
Re: Application Security...
- Subject: Re: Application Security...
- From: publiclook <email@hidden>
- Date: Wed, 19 Feb 2003 07:38:50 -0500
On Wednesday, February 19, 2003, at 07:10 AM, Sven A. Schmidt wrote:
B. it is really talking to another "secure" object (System internal
or
application internal)
Objects are not secure. Logins are secure. The objects in the
applications you use can't do anything that you don't have
authorization to do.
I've been recently asking myself the same question as Adam (see the
'patching' thread).
A very concrete concern is this: Can one write an Input Manager that
spies on a password text field and then saves (or even mails) what it
sees? I haven't found the time to try this, yet. AFAIK writing an
Input Manager is not very difficult (probably like Services).
I am sure that this could be done. Of course, you would have to install
such an input manager. You might call it a trojan horse. How is it any
different from an application that directly mails passwords ? If you
download an untrusted application that wants you to enter the root
password, what do you do ? If you download an input manager that
snoops while you type the root password, what do you do ?
This is nothing new. Trojan horse applications can be written for the
command line. Your best protection is to not know the root password :(
I guess people running as root shouldn't use untrusted applications or
untrusted input managers.
See
http://www.princeton.edu/~psg/unix/osx/osxsecurity.html.
P.S. On Mac OS 9 and Windows NT, it is possible to write an application
that watches the keyboard and reports everything you type. How is this
different from the Cocoa input manager concern ?
_______________________________________________
cocoa-dev mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/cocoa-dev
Do not post admin requests to the list. They will be ignored.