"Standard" password input in the Terminal should activate secure input
| Originator: | jalkut | ||
| Number: | rdar://19189911 | Date Originated: | 12/9/2014 |
| Status: | Open | Resolved: | |
| Product: | OS X | Product Version: | 10.10.1 |
| Classification: | Security | Reproducible: | Always |
Summary: Utilities invoked from the Terminal that take advantage of standard or semi-standard system calls for prompting for password should convey the same security benefits to users that secure GUI text fields do. Currently typing that is made to one of these seemingly secure inputs is available to other processes using CGEventTap to monitor keystrokes. Two examples that come to mind are "sudo" and "ssh". A nefarious application that monitors keystrokes could use this weakness obtain the user's own admin password, or the authentication password to a remote server. Steps to Reproduce: Expected Results: Actual Results: Version: 10.10.1 (14B25) Notes: Configuration: Attachments:
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!