About | Buy Stuff | Industry Watch | Learning Curve | Products | Search | Twitter
Home » Learning Curve

It's Not Just Apple It's The Whole Happy Mac Family

Rabbit holes: they're easy to fall into but they're not easy to climb back out of.


Security is only as strong as its weakest link. In the past five weeks the focus has been on Apple, but even with the holes band-aided there's always the risk a 3rd party product could screw things up.

Enough people have a bad habit of using the same password everywhere to make the prospect of finding a single readable password a key to unlocking an entire system.

The following list is courtesy the people at the Macintosh Underground. It is two years old, so things have changed. Some of the items no longer exist; some new items would otherwise be found.

OSXVNCPassword stored in clear text in Contents/MacOS/passwd
DynDNSStores password in clear text in /Library/Preferences/DNSUpdate/Users.
Open Firmware Passwordnvram -p | grep password | awk '{print $2}'
System Optimizer XStores the clear text OS X admin account password in ~/Library/Preferences/System Optimizer X Preferences and it stays there until someone clicks the 'click the lock to un-authenticate' button in the program.
PiePantsPassword stored in clear text in user's preferences.
AppleScriptsPassword often stored in clear text inside.
CommuniGate Mailsudo find /var/Communigate -name account.settings | xargs grep Password
Tivoli Storage ManagerPassword stored in /Library/Preferences/Tivoli\ Storage\ Manager/*.pwd
CUPSWindows printer passwords stored in clear text in /etc/cups/printers.conf
MacCVSClientStores login password (if saved in preferences) in MacCVSClient preferences file as clear text.
TomcatPassword stored in conf/tomcat-users.xml in clear text.
Yahoo IMBase64 encoding in com.yahoo.Messenger.Users.username.plist easily decoded by http://securitystats.com/tools/base64.php.
AirPortBase64 encoding in com.apple.nat.plist easily decoded by http://securitystats.com/tools/base64.php.
CPU Speed AcceleratorBase64 encoding in preference file easily decoded by http://securitystats.com/tools/base64.php.
YourSQLBase64 encoding in ~/Library/Preferences/com.magisterludi.YourSQL.plist easily decoded by http://securitystats.com/tools/base64.php.
TransmitBase64 encoding in ~/Library/Preferences/com.panic.Transmit.plist easily decoded by http://securitystats.com/tools/base64.php.
NicecastBase64 encoding in ~/Library/Preferences/com.rogueamoeba.Nicecast.plist easily decoded by http://securitystats.com/tools/base64.php.
About | ACP | Buy | Forum | Industry Watch | Learning Curve | Search | Twitter | Xnews
Copyright © Rixstep. All rights reserved.