Friday, December 5, 2014

Core Graphics Logging Input Data to /tmp Directory

Mozilla (via Jacob Garbe):

Security researcher Kent Howard reported an Apple issue present in OS X 10.10 (Yosemite) where log files are created by the CoreGraphics framework of OS X in the /tmp local directory. These log files contain a record of all inputs into Mozilla programs during their operation. In versions of OS X from versions 10.6 through 10.9, the CoreGraphics had this logging ability but it was turned off by default. In OS X 10.10, this logging was turned on by default for some applications that use a custom memory allocator, such as jemalloc, because of an initialization bug in the framework. This issue has been addressed in Mozilla products by explicitly turning off the framework's logging of input events. On vulnerable systems, this issue can result in private data such as usernames, passwords, and other inputed data being saved to a log file on the local system.

I have been using Firefox 33.1 and did not see any CGLog_ files on my Mac.

2 Comments RSS · Twitter

I’m using Firefox 33.1.1 and I found a current log file: /private/tmp/CGLog_Firefox_580

Seems to only contain information about mouse and scroll wheel movements.

Follow-up… it is an 8 MB file and my grep command wasn’t working well. There are also key down and key up lines in the file.

29302.8143675 (Firefox): CGSGetNextEventRecordInternal: 29302.8142273 loc (763.0, 476.0) conn 0x1c3cb KeyDown win 0x0 flags 0x100 set 252 char 114; key 15 data 114 special 0 repeat 0 keybd 40

Leave a Comment