Potential Jaguar Cache Cleaner security hole

There is an apparent security flaw in the shareware utility Jaguar Cache Cleaner that will expose the administrator password via simple Terminal commands.

While deleting a cache or performing another process in Jaguar Cache Cleaner, you can view the Mac OS X administrator user's password in the Terminal by typing "ps -aux" or via any utility that shows other users' processes (such as Process Wizard). This bug was discovered by VersionTracker feedback poster sjonke.

Exploiting this security hole from the Terminal (using the "ps -aux" command) requires access to any account on the machine, and is open to remote infiltration. Exploiting this hole using a separate application such as Process Viewer merely requires physical access to a machine.

There are several processes, such as the "cron" maintenance routines automatically performed by Mac OS X, that access root user privileges without revealing the administrator password. We are not sure why the developer of Jaguar Cache Cleaner chose the less secure route of enabling the administrator password, thus allowing it to be easily viewed by unauthorized users.

UPDATE: MacFixIt reader Rob Morton notes that this is actually a problem with any AppleScript Studio application:

"It is simply the way the AppleScript command do shell script " password AdminPassword with administrator privileges. Unless Apple changes the way that works, it will be a security risk. It really just means that while the application is running, you should not leave your machine and should not allow shell access to your machine from people you do not trust."

Resources