Security bug in Mac OS X 10.5 Airport: use Airport to retrieve username and password

Alec Jacobson

September 09, 2009

weblog/

New solution below I noticed when I wake up my MacBook Pro running Mac OS X 10.5 from sleep it tries to connect to a preferred wireless network. On failure it presents me with a list:

List of wireless networks

Airport has remembered passwords to networks to which I have previously connected. Even my university's NYU-ROAM2 which uses LEAP has a remembered password (the LEAP username and password are actually remembered together as a WEP password of the form <username/password>).

AirPort reveals previous network's password

By selecting a protected network then checking "Show password" I can not only see passwords to previous wireless networks, but if I select some LEAP protected wireless network like NYU-ROAM2 I can see my username and password! This means anyone with access to your laptop could potential get your username and password, which in turn could allow the fiend to access other private information stored elsewhere using the same username and password. I guess the lesson is to require a password upon waking up. You can do this by going to System Preferences > Security then making sure "Require password to wake this computer from sleep or screen saver" is checked.

Security preference pane

Though it does seem odd for AirPort to show these passwords without prompting at least for the current user's password. Update: It looks like just adding a prompt for the computer's password at wake up is not enough. A user can bring up the list of previous wireless networks (and the ability to see remembered passwords) just by turning on and off AirPort. Any ideas for solutions to this problem? New (stronger) solution: Adding a password on wake up is not quite good enough. Mac does let you (as of some security update?) require administrative privileges to modify airport settings (turn ON of OFF, change/create networks). Open Network Preferences (either through System Preferences) or by clicking on the airport symbol:

open network preferences using airport icon

In Network Preferences select AirPort on the left and click "Advanced":

advanced button in network preferences

Under the (default) Airport tab in the advanced window, make sure "Require Administrator password to control AirPort" is selected.

require administrator password to control airport

Be sure to finish by applying the changes.