Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Caution - Xmorph security hole... System
There's a big security hole if you're using Xmorph [Editor: a theme-switcher for OS X]. Look in ~/Library/Preferences/Xmorph Preferences. If you've authenticated once, you should be looking right at your admin password. The author insists that this is a "feature." Feature or not, no password should ever be stored in plain text. Another Real Basic app...

[Editor's note: See the comments - this 'hole' is completely optional and at the user's discretion. Seems like a reasonable balance of ease-of-use and security - you choose whether or not you'd like your admin password saved in cleartext.]
    •    
  • Currently 2.33 / 5
  You rated: 2 / 5 (3 votes cast)
 
[2,204 views]  

Caution - Xmorph security hole... | 3 comments | Create New Account
Click here to return to the 'Caution - Xmorph security hole...' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
This warning is kind of overblown.
Authored by: rusto on Jul 15, '01 09:24:01AM
The password save "feature" is not obligitory, it is an option you can elect to choose or not. It is no more a security hole than keeping a text doc. on your computer with all your passwords listed. I had no problem seeing, reading and opting NOT to have XMorph save my admin password. There are alot of these hyper-active warnings about Xmorph at various Mac sites and I susptect many are originating from developers (friends of) the competing app, MetaMorphX.

Here is a quote from the developer at VersionTracker:

"This feature was put in so that you never have to enter your password in XMorph. XMorph will scan this file at start-up and get your password. It was put in as a feature in earlier versions, and is completely optional. If you don't want your password remembered, leave all fields blank, and the checkbox unchecked. The setup assistant warns you of this risk. Here is exactly what the warning says: Make sure you enter your administrative password. Selecting this option will mean never having to enter your password. This can be a security risk, and a copy of your password will be saved to the hard drive. MetaMorphX uses Cocoa's authentication manager, and requires you to enter your password every time. I simply added the feature so that you do not need to enter your password ever if you don't care about the security risks. To remove your password, go to password settings in the extras menu, uncheck "Remember my password" and leave all fields blank. I simply left the option to either remember your password or not. --Colin Cornaby I'd also like to mention anonoy_13 I believe is on the MetaMorphX development team. He si the author of the Unlined Series, and has been a part of the MetaMorphX project.  ,"

[ Reply to This | # ]
This is still a security hole
Authored by: spyro_le_dragon on Jul 16, '01 08:36:56AM
Whatever you say, storing a password in full text is a baaad thing. he could at least use some kind of encryption or code to make it unreadable, I would bet there also is a function in carbon and/or cocoa to allow the encryption of passwords. By the way if the system asks for a password every time, it's for a good reason and that shouldn't be bypassed. by the way please sign the X OUR way petition http://www.PetitionOnline.com/xourway/petition.html

[ Reply to This | # ]
~/Library permissions
Authored by: owain_vaughan on Jul 16, '01 04:58:21AM

The ~/Library directory is 'rwx------' and owned by you, so no other user can read it anyway!



[ Reply to This | # ]