Hardly a security flaw. How do you expect Safari/Chrome autofill the same passwords? And after the password is auto-filled any JavaScript can access the input's value attribute.
I use this in my .emacs so Emacs can grab passwords from Keychain, but the same approach would work in bash too:
(defun find-keychain-password (host) ()
(condition-case nil
(let ((passstr (second (split-string (first (process-lines "/usr/bin/security" "find-internet-password" "-gs" host)) ": "))))
(substring passstr 1 (1- (length passstr))))
(error nil)))
I'm inclined to agree. It looks like this is the same "hack" detailed last week, though through a terminal command instead of an application. As we learned last week, by default, OS X is set to never lock the keychain once it is logged in. It's a conscious choice of default set by Apple. If you care about tighter security, just change the autolock time or use separate keychains.
No, last week's was root only, operated by searching through RAM for various keys, and was notable for displaying passwords for every logged-in user, which this will not do.
I use this in my .emacs so Emacs can grab passwords from Keychain, but the same approach would work in bash too: (defun find-keychain-password (host) () (condition-case nil (let ((passstr (second (split-string (first (process-lines "/usr/bin/security" "find-internet-password" "-gs" host)) ": ")))) (substring passstr 1 (1- (length passstr)))) (error nil)))