Rixstep
	`About \| ACP \| Buy \| Industry Watch \| Learning Curve \| News \| Search \| Test`

Home » Learning Curve

It's Not Just Apple It's The Whole Happy Mac Family

Rabbit holes: they're easy to fall into but they're not easy to climb back out of.

Security is only as strong as its weakest link. In the past five weeks the focus has been on Apple, but even with the holes band-aided there's always the risk a 3rd party product could screw things up.

Enough people have a bad habit of using the same password everywhere to make the prospect of finding a single readable password a key to unlocking an entire system.

The following list is courtesy the people at the Macintosh Underground. It is two years old, so things have changed. Some of the items no longer exist; some new items would otherwise be found.

OSXVNC	Password stored in clear text in `Contents/MacOS/passwd`
DynDNS	Stores password in clear text in /Library/Preferences/DNSUpdate/Users.
Open Firmware Password	`nvram -p \| grep password \| awk '{print $2}'`
System Optimizer X	Stores the clear text OS X admin account password in `~/Library/Preferences/System Optimizer X Preferences` and it stays there until someone clicks the 'click the lock to un-authenticate' button in the program.
PiePants	Password stored in clear text in user's preferences.
AppleScripts	Password often stored in clear text inside.
CommuniGate Mail	`sudo find /var/Communigate -name account.settings \| xargs grep Password`
Tivoli Storage Manager	Password stored in `/Library/Preferences/Tivoli\ Storage\ Manager/*.pwd`
CUPS	Windows printer passwords stored in clear text in `/etc/cups/printers.conf`
MacCVSClient	Stores login password (if saved in preferences) in MacCVSClient preferences file as clear text.
Tomcat	Password stored in `conf/tomcat-users.xml` in clear text.
Yahoo IM	Base64 encoding in `com.yahoo.Messenger.Users.username.plist` easily decoded by http://securitystats.com/tools/base64.php.
AirPort	Base64 encoding in `com.apple.nat.plist` easily decoded by http://securitystats.com/tools/base64.php.
CPU Speed Accelerator	Base64 encoding in preference file easily decoded by http://securitystats.com/tools/base64.php.
YourSQL	Base64 encoding in `~/Library/Preferences/com.magisterludi.YourSQL.plist` easily decoded by http://securitystats.com/tools/base64.php.
Transmit	Base64 encoding in `~/Library/Preferences/com.panic.Transmit.plist` easily decoded by http://securitystats.com/tools/base64.php.
Nicecast	Base64 encoding in `~/Library/Preferences/com.rogueamoeba.Nicecast.plist` easily decoded by http://securitystats.com/tools/base64.php.