toggle

AAPL Stock: 95.22 ( + 0.19 )

Printed from http://www.macnn.com

Safari exploit uses AutoFill to grab personal information

updated 03:20 pm EDT, Thu July 22, 2010

Exploit unaddressed for a year

A very serious security vulnerability still exists in Safari, claims the CTO of WhiteHat Security. Jeremiah Grossman observes that on sites where Safari's AutoFill feature can be used, the browser will automatically populate certain fields with data from a computer's Address Book, whether a not person has ever been to the page. By creating a malicious site with the right fields, then simulating keystrokes using JavaScript, it should be possible to collect personal information without the victim's consent.

The exploit has been tested with concept code, and can reportedly steal data in seconds. Some awareness of the threat is said to have existed for a year, but Grossman notes that he provided details to Apple in June of this year, and received only a single auto-response in reply. A second message sent to Apple produced no answer.

The vulnerability is not unique to Safari, but Safari 5 was released just last month with the problem intact. The other exposed browsers are Internet Explorer 6 and 7; 8 is said to be protected. To safeguard affected software, the only known solution so far is to disable AutoFill or its equivalent.






by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

  1. peter02l

    Joined: Dec 1969

    +2

    Not really

    If the user has user names and passwords checked under autofill preferences, then maybe. But that is not checked by default. If using address book is checked, then all they can possibly get is your name, address, and phone number. The white pages has loads of them.

  1. peter02l

    Joined: Dec 1969

    +3

    also

    Just make sure you check off "using other forms" as well.

  1. testudo

    Joined: Dec 1969

    0

    Re: Not really

    If the user has user names and passwords checked under autofill preferences, then maybe. But that is not checked by default.

    But that's not what they are getting, nor would that work, since those only fill on the site that you are on.

    If using address book is checked, then all they can possibly get is your name, address, and phone number. The white pages has loads of them.

    They are loaded with them, but that's not the point. With such a flaw, a site could, for example, be able to actually put a name and address to a login, which, in turn, could be used for other information gathering as well.

    For example, if doubleclick.net got this information, they'd know who it was who was going to all those various web sites.

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Samsung SmartCam HD Pro

Keeping an eye on the home while out and about these days is common practice, assisted by modern technology. Internet cameras became p ...

Fugoo Bluetooth speaker

It's rare to find a Bluetooth speaker that can cover a large array of needs. Generally, speakers are wrapped in a desktop-convenient ...

Epson LW-600P

Label makers are traditionally simple machines that perform a single task which people feel they can either live with or without. In m ...

toggle

Most Commented