Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Safari AutoFill Security Issue Rears Its Head Once Again

MacRumors

MacRumors

macrumors bot
Original poster
Apr 12, 2001
63,539
30,848


Back in July, security researcher Jeremiah Grossman revealed a security issue that could allow malicious parties to take advantage of Safari's AutoFill feature to extract personal information from users' Address Book entries. At the time, Grossman reported that his report to Apple had gone essentially unacknowledged for nearly a month, but just six days later Apple released Safari 5.0.1 and 4.1.1 to address the problem.


134256-safari_autofill_u_tab_exploit_500.jpg


Screenshot of Grossman's proof-of-concept test of new AutoFill exploit
Grossman now reports that he has discovered another similar AutoFill security issue that, while requiring the malicious party to trick users into providing a pair of keystrokes rather than being completely automated as in the previous exploit, offers an even more efficient means for users' personal information to be obtained.
To perform our attack requires tiny bit of end-user trickery. Two button presses to be precise. A malicious website detects (ie: IP address) the country the victim is from. For our purposes here we'll assume the "US." The attacker invisibly (CSS transparency) sets up the aforementioned form and forces the keystroke focus into the country element. Notice how this is done in the video on the right side of the screen, which only visible for demonstration purposes. Next the attacker entices the victim to type "U" (first character of "US") and then press "TAB." And BAM! That's it! Data stolen.
Click to expand...
Grossman relates that he notified Apple of the newly-discovered exploit via email on August 10th and again a few days later. One week after that, he received a phone call from an Apple product security engineer with whom he had a "productive chat" about how the original vulnerability report from June had been handled, only to discover at the end of the conversation that the engineer had no idea that Grossman had reported the second issue a week and half prior.

As with the earlier exploit, users can protect themselves by simply turning off the AutoFill option to automatically populate forms with information from their Address Book cards. Grossman notes, however, that he is unsure how Apple plans to address the vulnerability while still maintaining the convenience of the AutoFill feature. While Apple's previous patch allowed Safari to automatically differentiate from the automated JavaScript-simulated keystrokes from real keystrokes, thus thwarting the original exploit, the new exploit relies on tricking the user into actually entering the necessary keystroke, a tactic that could be more difficult to address.

Article Link: Safari AutoFill Security Issue Rears Its Head Once Again
 
Article Link
https://www.macrumors.com/2010/09/24/safari-autofill-security-issue-rears-its-head-once-again/
skeep5

skeep5

macrumors 6502a
Mar 16, 2006
560
0
AZ
aw crap. man i'm all depressed now. went from hey! there's a 7 inch ipad coming to hey! safari just sent all your info to bangladesh. :rolleyes:
 
B

Bleubird2

macrumors member
Apr 2, 2010
34
0
Maybe it's time to just disable AutoFill until the security issues are completely fixed.
 
Darth.Titan

Darth.Titan

macrumors 68030
Oct 31, 2007
2,905
753
Austin, TX
Can someone please tell me how the ability to obtain my name and address is a huge security threat? They can grab a phone book and get a bunch of that kind of info with far less effort.

Not sure what the big deal is. It's not like the Address book info contains credit card and Social Security numbers. :confused:
 
grapes911

grapes911

Moderator emeritus
Jul 28, 2003
6,995
10
Citizens Bank Park
Why are people visiting these malicious sites anyway? To me the best security is to only go to respected, well-known sites. It's like walking though the bad part of the neighborhood at night. Bad things may happen.
 
saving107

saving107

macrumors 603
Oct 14, 2007
6,384
33
San Jose, Ca
grapes911 said:
Why are people visiting these malicious sites anyway? To me the best security is to only go to respected, well-known sites. It's like walking though the bad part of the neighborhood at night. Bad things may happen.
Click to expand...

I agree with you, but as a pre-caution I tuned off Autofill from my Safari browser, Chrome Browser and Mobile Safari Browser a long time ago (before the story came out in June) just because I never trusted that feature.
 
miles01110

miles01110

macrumors Core
Jul 24, 2006
19,260
36
The Ivory Tower (I'm not coming down)
grapes911 said:
Why are people visiting these malicious sites anyway?
Click to expand...

I think the implication was that this could be implanted onto an otherwise reputable site if it could be broken into.

Darth.Titan said:
Can someone please tell me how the ability to obtain my name and address is a huge security threat? They can grab a phone book and get a bunch of that kind of info with far less effort.
Click to expand...

Because it ties your name and address to an IP address.
 
O

owensd

macrumors newbie
Feb 6, 2007
10
0
So let me get this straight... you have an autofill feature and you think it's a security bug because the user typed data into a cell that has focus, pressed tab to switch cells which triggers the auto-completion.

That is the entire point of auto-completion and is available in every browser.

The fact that it's on by default in Safari is where the potential problem exists.
 
C

ChrisA

macrumors G5
Jan 5, 2006
12,578
1,695
Redondo Beach, California
This is not a Mac/PC thing or even a Safari issue. It applies to all browsers

The way any browser should handle auto fill is to NEVER write information to parts of the screen that cannot be seen. This means even if the windows is covered by another window.

Next it might be good if all browsers asked before they sent any data the user did not type in, himself by hand. Pop-ups are annoying but the auto fill process might add something that forces the user to verify that the information entered is correct and desired.
 
T

Thinine

macrumors newbie
Jul 23, 2002
24
0
Sounds like a pretty easy fix: don't autofill form elements that aren't visible to the user.
 
baryon

baryon

macrumors 68040
Oct 3, 2009
3,878
2,929
How about not allowing forms and text boxes to be invisible in CSS? That should fix it, and put the responsibility on the user.
 
allpar

allpar

macrumors 6502
May 20, 2002
365
122
"How about not allowing forms and text boxes to be invisible in CSS? That should fix it, and put the responsibility on the user."

That will screw up a LOT of sites that have good reason to have invisible forms and text boxes.

I do like the idea of "no AutoFill into hidden forms." Hard to implement with no "gotchas."

I also like the idea of a dialogue box -- "Do you want to autofill?" -- which would eliminate this issue entirely without killing functionality.
 
F

fredfnord

macrumors regular
Sep 9, 2007
127
19
There is an easy fix, but I don't know if Apple will like it

When Safari detects a form, put a little button (perhaps a circle with a capital A in it) in the form elements. If the user clicks it, do an autofill. If not, don't.
 
baryon

baryon

macrumors 68040
Oct 3, 2009
3,878
2,929
grapes911 said:
Why are people visiting these malicious sites anyway? To me the best security is to only go to respected, well-known sites. It's like walking though the bad part of the neighborhood at night. Bad things may happen.
Click to expand...

So if the police said "just don't walk through the bad part of town" as a response to "what are you going to do against crime?", would you be satisfied?
 
L

lkrupp

macrumors 68000
Jul 24, 2004
1,877
3,805
Bleubird2 said:
Maybe it's time to just disable AutoFill until the security issues are completely fixed.
Click to expand...

These security nerds won't be satisified until every feature that users find useful is disabled or crippled. I, for one, don't intend to hide under my bed because a bad guy might get me. I've been using a personal computer since 1982, starting with dial-up bulleting boards and getting on the internet as soon as it became possible for a non-educational user to do so. In all those 28 years I have never been "hacked" nor my system compromised. And I don't think it was dumb luck either. These guys are constantly crying wolf and declaring that the sky is falling. Just like anything else in this world it's really digital darwinism at work. The stupid ones die or make the rest of us pay for their stupidity.:mad:
 
Blu101

Blu101

macrumors 6502a
Sep 10, 2010
562
0
grapes911 said:
Why are people visiting these malicious sites anyway? To me the best security is to only go to respected, well-known sites. It's like walking though the bad part of the neighborhood at night. Bad things may happen.
Click to expand...

Not all 6 billion people in the world can distinguish a good site from a bad site :rolleyes:

Furthermore, advanced phishing scams now copy entire websites near perfect, and can only be distinguished by looking at the address on the browser, but again, your non-tech/non-web savvy 50 year old will never know the difference. He'll just be happy to think he's using paypal, and even happier with a feature like auto fill for his arthritis.

grapes911 said:
No, but don't be surprised that crime happens in that section of town. If it's known, then stay away.
Click to expand...

Many times you don't know if "that section of town" is bad until you get there, and by the time your browser alerts you, it's already too late. Happened to my parents a few weeks back on their vista pc. $100 to fix.







Apple and other computer OS manufacurers should employ these hackers or invite them (with pay of course) to come and speak/educate on a regular basis. Pwn2wn works great at this, but just doesn't happen frequent enough IMO (what is it, just a once a year contest or something?).
 
RMo

RMo

macrumors 65816
Aug 7, 2007
1,254
281
Iowa, USA
Wouldn't a prompt to ask the user if they really want to do so take care of this situation? Granted, it's less convenient (but infinitely more so than having your data stolen), and a really malicious site could still trick a user into something like "Press Tab and then Enter (not Return)" if they happen to have that feature enabled (which Mozilla has taken care of with a mandatory delay), but maybe...
 
ikir

ikir

macrumors 68020
Sep 26, 2007
2,134
2,288
If you are stupid you don't have any protection agains these things. No software is secure against stupidity. Autofill is very handy imho.
 
iSee

iSee

macrumors 68040
Oct 25, 2004
3,539
272
owensd said:
So let me get this straight... you have an autofill feature and you think it's a security bug because the user typed data into a cell that has focus, pressed tab to switch cells which triggers the auto-completion.

That is the entire point of auto-completion and is available in every browser.

The fact that it's on by default in Safari is where the potential problem exists.
Click to expand...
Yeah, I'm half way with you. The exploit requires that the user actually use the autocomplete feature. But the user would not understand that's what's happening. I guess apple could improve things by, e.g., not enabling autocomplete on fields that aren't readily visible... That would help but not necessarily eliminate the problem. Apple could prompt the user each time autocomplete is used... Though to me that kills the convenience of it. They could make prompting an option for people who want to give up some convenience for security.
 
Dammit Cubs

Dammit Cubs

macrumors 68020
Jul 31, 2007
2,108
696
auto fill is the worst thing to happen PERIOD.

I cringe every time a Credit card number shows up after autofill.
 
inket

inket

macrumors regular
Dec 23, 2009
151
102
Now they just have to make forms un-editable when hidden using CSS.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom