It seems that the only real issue is that it circumvents keychain, that would normally prompt before giving any protected value to unknown code (not signed or already prompted). So a plugin can access to protected data that iTune can fetch from keychain silently.
I don't know if there is other ways to achieve that with local attacks, but it looks like a middle of the road issue. Quite serious, but also requires the target system to be already compromised.
I don't know if there is other ways to achieve that with local attacks, but it looks like a middle of the road issue. Quite serious, but also requires the target system to be already compromised.