toggle

AAPL Stock: 131.78 ( -0.26 )

Printed from http://www.macnn.com

Safari exploit uses AutoFill to grab personal information

updated 03:20 pm EDT, Thu July 22, 2010

Exploit unaddressed for a year

A very serious security vulnerability still exists in Safari, claims the CTO of WhiteHat Security. Jeremiah Grossman observes that on sites where Safari's AutoFill feature can be used, the browser will automatically populate certain fields with data from a computer's Address Book, whether a not person has ever been to the page. By creating a malicious site with the right fields, then simulating keystrokes using JavaScript, it should be possible to collect personal information without the victim's consent.

The exploit has been tested with concept code, and can reportedly steal data in seconds. Some awareness of the threat is said to have existed for a year, but Grossman notes that he provided details to Apple in June of this year, and received only a single auto-response in reply. A second message sent to Apple produced no answer.

The vulnerability is not unique to Safari, but Safari 5 was released just last month with the problem intact. The other exposed browsers are Internet Explorer 6 and 7; 8 is said to be protected. To safeguard affected software, the only known solution so far is to disable AutoFill or its equivalent.






by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

  1. peter02l

    Joined: Dec 1969

    +2

    Not really

    If the user has user names and passwords checked under autofill preferences, then maybe. But that is not checked by default. If using address book is checked, then all they can possibly get is your name, address, and phone number. The white pages has loads of them.

  1. peter02l

    Joined: Dec 1969

    +3

    also

    Just make sure you check off "using other forms" as well.

  1. testudo

    Joined: Dec 1969

    0

    Re: Not really

    If the user has user names and passwords checked under autofill preferences, then maybe. But that is not checked by default.

    But that's not what they are getting, nor would that work, since those only fill on the site that you are on.

    If using address book is checked, then all they can possibly get is your name, address, and phone number. The white pages has loads of them.

    They are loaded with them, but that's not the point. With such a flaw, a site could, for example, be able to actually put a name and address to a login, which, in turn, could be used for other information gathering as well.

    For example, if doubleclick.net got this information, they'd know who it was who was going to all those various web sites.

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

Follow us on Facebook

toggle

Most Popular

Advertisement

Recent Reviews

Notti smart lamp from Witti

Perhaps you've already seen our review of the Dotti LED display from Witti Design. Meet Notti, Dotti's "sibling". Notti is a softb ...

Seagate Personal Cloud (2-Bay)

When it comes to backing up files, many users are now looking to the myriad of cloud storage solutions available. There is no doubt th ...

Leitz Icon Label Printer

When you say the words "label printer" to people, they either just really don't care, or they get incredibly excited. This is one o ...

toggle

Most Commented