toggle

AAPL Stock: 101.32 ( + 0.74 )

Printed from http://www.macnn.com

Safari exploit uses AutoFill to grab personal information

updated 03:20 pm EDT, Thu July 22, 2010

Exploit unaddressed for a year

A very serious security vulnerability still exists in Safari, claims the CTO of WhiteHat Security. Jeremiah Grossman observes that on sites where Safari's AutoFill feature can be used, the browser will automatically populate certain fields with data from a computer's Address Book, whether a not person has ever been to the page. By creating a malicious site with the right fields, then simulating keystrokes using JavaScript, it should be possible to collect personal information without the victim's consent.

The exploit has been tested with concept code, and can reportedly steal data in seconds. Some awareness of the threat is said to have existed for a year, but Grossman notes that he provided details to Apple in June of this year, and received only a single auto-response in reply. A second message sent to Apple produced no answer.

The vulnerability is not unique to Safari, but Safari 5 was released just last month with the problem intact. The other exposed browsers are Internet Explorer 6 and 7; 8 is said to be protected. To safeguard affected software, the only known solution so far is to disable AutoFill or its equivalent.






by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

  1. peter02l

    Joined: Dec 1969

    +2

    Not really

    If the user has user names and passwords checked under autofill preferences, then maybe. But that is not checked by default. If using address book is checked, then all they can possibly get is your name, address, and phone number. The white pages has loads of them.

  1. peter02l

    Joined: Dec 1969

    +3

    also

    Just make sure you check off "using other forms" as well.

  1. testudo

    Joined: Dec 1969

    0

    Re: Not really

    If the user has user names and passwords checked under autofill preferences, then maybe. But that is not checked by default.

    But that's not what they are getting, nor would that work, since those only fill on the site that you are on.

    If using address book is checked, then all they can possibly get is your name, address, and phone number. The white pages has loads of them.

    They are loaded with them, but that's not the point. With such a flaw, a site could, for example, be able to actually put a name and address to a login, which, in turn, could be used for other information gathering as well.

    For example, if doubleclick.net got this information, they'd know who it was who was going to all those various web sites.

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Life n Soul 8 Driver Bluetooth headphones

When it comes to music on the go, consumers generally have some options to consider when looking for the best experience. While Blueto ...

Pure Jongo T2 wireless speaker

Multi-room audio compatibility is a key metric for wireless sound systems these days. The entry cost into a house-spanning system can ...

Logitech Z213 multimedia speakers

Desktop computer speakers sit in a weird area of limbo: many consumers have forgone the era of desktop listening for the privacy and v ...

toggle

Most Commented