• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Application Security...
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Application Security...

  • Subject: Re: Application Security...
  • From: "Sven A. Schmidt" <email@hidden>
  • Date: Wed, 19 Feb 2003 14:44:53 +0100
On Mittwoch, Februar 19, 2003, at 01:38 Uhr, publiclook wrote:

I've been recently asking myself the same question as Adam (see the 'patching' thread).

A very concrete concern is this: Can one write an Input Manager that spies on a password text field and then saves (or even mails) what it sees? I haven't found the time to try this, yet. AFAIK writing an Input Manager is not very difficult (probably like Services).


I am sure that this could be done. Of course, you would have to install such an input manager. You might call it a trojan horse. How is it any different from an application that directly mails passwords ? If you download an untrusted application that wants you to enter the root password, what do you do ? If you download an input manager that snoops while you type the root password, what do you do ?

This is nothing new. Trojan horse applications can be written for the command line. Your best protection is to not know the root password :( I guess people running as root shouldn't use untrusted applications or untrusted input managers.

See http://www.princeton.edu/~psg/unix/osx/osxsecurity.html.

P.S. On Mac OS 9 and Windows NT, it is possible to write an application that watches the keyboard and reports everything you type. How is this different from the Cocoa input manager concern ?

Well, first off, having a similar problem elsewhere doesn't really make it less of a concern for me on my platform.

I can't judge on the difficulty of writing a keyboard sniffer on NT but I believe a real problem on OSX might be that it's so easy to write and deploy a Trojan. You don't have to install in system directories and any text field in other Cocoa apps can be sniffed.

I agree that you should not run as root. But you don't have to, because a lot of tasks require an Administrator password. So even if you're 'only' an Administrator, you'll give away that password and with that and 'sudo' you'll come a long way.

I'm not trying to spread FUD or bash the OSX security model. Maybe I just want to be relieved by someone who knows better and steps forward saying: "No worries, Input Managers are ignored by the Authorization framework and its input text fields." Until that happens (or I've experimented with Input Managers) I'll just keep going with a little doubt.

Sven
_______________________________________________
cocoa-dev mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/cocoa-dev
Do not post admin requests to the list. They will be ignored.
  • Follow-Ups:
    • Re: Application Security...
      • From: Joshua S Emmons <email@hidden>
References: 
 >Re: Application Security... (From: publiclook <email@hidden>)

  • Prev by Date: Re: Application Security...
  • Next by Date: Re: Weirdness on window redraw
  • Previous by thread: Re: Application Security...
  • Next by thread: Re: Application Security...
  • Index(es):
    • Date
    • Thread