Safari 5.0 AutoFill Feature Could Leave Your Information Vulnerable
Click image to embiggen.
Security researcher Jeremiah Grossman discovered a security vulnerability that could give any website the ability to steal user information from Safari's AutoFill feature that grabs user information from Address Book on the Mac. Apple countered Grossman by releasing Safari 5.0.1 that supposedly corrected the issue, but Grossman has found another potentially dangerous way to grab user information from Apple's flagship web browser.
To get the user information, Grossman setup a "game" whereby the user needed to type a "U" to jump. When the user typed the U, the text was placed in the country field, telling Safari to go ahead and automatically fill out the entire form with personal user information, including first name, last name, city, state, email, phone, street, country, and the zip (or postal) code.
"To perform our attack requires tiny bit of end-user trickery. Two button presses to be precise. A malicious website detects (ie: IP address) the country the victim is from. For our purposes here we'll assume the "US." The attacker invisibly (CSS transparency) sets up the aforementioned form and forces the keystroke focus into the country element. Notice how this is done in the video on the right side of the screen, which only visible for demonstration purposes. Next the attacker entices the victim to type "U" (first character of "US") and then press "TAB." And BAM! That's it! Data stolen," says Grossman on his blog.
Grossman also posted a video showing the exploit in progress, which you can find on his post.
Apple has yet to address this potential exploit, but with any vulnerability like this, you can always combat the problem by turning off the affected feature. By disabling the AutoFill feature in Safari, you are essentially killing this hack. You can disable AutoFill by navigating to Safari > Preferences > AutoFill and unchecking the box labeled "Using info from my Address Book card."
via MacRumors
Follow this article's author, Cory Bohon on Twitter.
Related Articles
iCrizzo
September 27, 2010 at 7:06am
Can't someone just pick up a phonebook and get my phone number and address?
stevengu
September 24, 2010 at 8:36pm
I have been avoiding Safari for reasons like this. I do agree that it is a sweet browser and all for Mac users, but it does have a lot of security flaws like this, and even though patches come out for it, people can still exploit it.
That's why I moved to Chrome, which has better security features than Safari. Plus, I don't even use autofill.
Kruz8er
September 24, 2010 at 5:05pm
I thought this was behind us with 5.0.1 :/ For now I turned it off. But im hopeful Apple fixes this quick and this time, for real!
Still love my Safari though!
Connect with Mac|Life
Featured Content
10 television shows that feature our favorite Apple products.
Keep in mind that iTunes and Amazon will sell you entire seasons, which last longer...
Whether it's learning how to use the application or importing third-party calendars...
In This Month's Issue
Feature
Review
Create
Latest Mac|Life Tweets
- MacLife: Review: Sonic the Hedgehog 4 Episode II, universal for iPhone and iPad. So frustrating! http://t.co/UwBjm1Qx1 day 2 hours ago
- MacLife: Lights, Camera, Apple! So many Macs, iPhones, and iPads on TV. http://t.co/JPJ7fBVK1 day 3 hours ago
- MacLife: In this week's Law & Apple, Samsung's bizarre "anti-fanboy" defense, and Apple has a tough time in Delaware. http://t.co/oVwi51Yp1 day 3 hours ago
- MacLife: Mint's iOS app added budgeting and split transactions. Do you track your finances on an iPhone/iPad? http://t.co/c4AgVI4w1 day 4 hours ago
- MacLife: IBM blocks Siri, iCloud, and Drobpox on its employees' iPhones. Drag. But understandable too, right? http://t.co/ojuiYxiS1 day 5 hours ago
