Safari Autofill Security Issue Permits Access to Personal Information

[MacRumors]

Earlier this week, The Register detailed a security vulnerability found in Apple's Safari Autofill feature that could enable malicious websites to extract users' personal information from their Address Book entries. The security researcher, Jeremiah Grossman of WhiteHat Security, followed up with a blog post yesterday detailing the exploit and offering a proof of concept webpage allowing users to see if they are vulnerable.

The vulnerability arises from Address Book's usage of simple form text fields to store the user's personal information, paired with Safari's ability to automatically grab that information through its Autofill feature to assist users with filling out web forms.

Quote:

All a malicious website would have to do to surreptitiously extract Address Book card data from Safari is dynamically create form text fields with the aforementioned names, probably invisibly, and then simulate A-Z keystroke events using JavaScript. When data is populated, that is AutoFill'ed, it can be accessed and sent to the attacker.

For some reason, fields that begin with numbers such as phone numbers and street addresses are not subject to this vulnerability. A user's name, company affiliation, city/state/country, and email addresses can, however, typically be accessed.

Quote:

Still, such attacks could be easily and cheaply distributed on a mass scale using an advertising network where likely no one would ever notice because it's not exploit code designed to deliver rootkit payload. In fact, there is no guarantee this has not already taken place. What is safe to say is that this vulnerability is so brain dead simple that I assumed someone else must have publicly reported it already, but exhaustive searches and asking several colleagues turned up nothing.

Grossman reports that he submitted information on the vulnerability to Apple on June 17th, but has received nothing more than an automatic acknowledgement of his submission despite an attempted follow-up. Consequently, Grossman is making public disclosure of the vulnerability so that users can take steps to protect themselves by disabling the Autofill feature, which is turned on by default.

Article Link: Safari Autofill Security Issue Permits Access to Personal Information

[nwcs]

Another reason not to use autofill.

[seven2k7]

Quote:

Originally Posted by nwcs

Another reason not to use autofill.

http://arstechnica.com/security/news...insecurity.ars

[ThunderSkunk]

Dammit, I like autofill.

[applephysci]

This can be scary. It's surprising no-one has made a big deal about this until now.

[xxgilxx]

Self inflicted spam! Ha

[Corrosive vinyl]

+1 on not using auto fill.

Why are there so many security vulnerabilities showing up all at once for ?

[gloomcookie1]

Quote:

Originally Posted by seven2k7

http://arstechnica.com/security/news...insecurity.ars

Though this does not necessarily mean that Apple's software is the most insecure in practice—the report takes no consideration of the severity of the flaws—it points at a growing trend in the world of security flaws: the role of third-party software. Many of Apple's flaws are not in its operating system, Mac OS X, but rather in software like Safari, QuickTime, and iTunes. Vendors like Adobe (with Flash and Adobe Reader) and Oracle (with Java) are similarly responsible for many of the flaws being reported.

[RalfTheDog]

Quote:

Originally Posted by Corrosive vinyl

+1 on not using auto fill.

Why are there so many security vulnerabilities showing up all at once for ?

Safari. Just use Firefox and you are safer than Windows and almost as safe as Linux.

[ColdCoffee]

What about passwords autofill? I have that option on.

[Lord Vader]

Quote:

Originally Posted by seven2k7

http://arstechnica.com/security/news...insecurity.ars

ArsTechnica is not what is was.

[rKunda]

1 more reason to use 1Password... =)

[HikariYuki]

Quote:

Originally Posted by rKunda

1 more reason to use 1Password... =)

+1 for 1password.

[Nicklaus]

Been using lastpass on Leo laporte and Steve gibsons recommendation as the only one they trust and it turns off autofill when you install and then uses it's own encrypted autofill.

[Novaoblivion]

Quote:

Originally Posted by rKunda

1 more reason to use 1Password... =)

Indeed 1Password is great!

[Block]

Quote:

Originally Posted by Corrosive vinyl

+1 on not using auto fill.

Why are there so many security vulnerabilities showing up all at once for ?

There aren't that many for the operating system itself, it is mostly the third-party software programs that are causing problems.

[Lord Vader]

Quote:

Originally Posted by rKunda

1 more reason to use 1Password... =)

1Password is bug free?

[Surely]

What about that "Other Forms" option. Is that one cool to keep checked? It doesn't have that scary red circle around it.....

[Mac-Michael]

Convenience and security are two opposite sides of a spectrum.

[Morod]

I'm vulnerable...
Correction. I WAS vulnerable.
Lastpass works okay?

[OrangeSVTguy]

Just disabled it.... Only using Safari anyways since I haven't DL Firefox yet

Then again, the address on this MBP is empty since I haven't synced it yet to my Mini.

[Nicklaus]

Quote:

Originally Posted by Morod

I'm vulnerable...
Lastpass works okay?

It works for me if you watch the security now podcast they talk for about 2 hours over two or three of the last episodes all about why they like it.

Convinced me.

And it's free

[WiiDSmoker]

Another prime example that Apple has a huge hurdle to cross to become as security safe as they alleged. Security through obscurity is slowly dwindeling.

[jeffereyj]

Firefox FTW.

plus i simply cannot surf without using the AdBlock extension (every time i use Safari on iPhone i'm reminded of why..)

[Morod]

Actually, this was something I wondered about.
The email address that the proof of concept web page came up with is a MM alias I rarely use. The last couple of weeks I received 5 or 6 spams to that address. I wondered where they got it from as I rarely used it.