Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Safari 5.0.1 and 4.1.1 Address AutoFill Security Flaw

MacRumors

MacRumors

macrumors bot
Original poster
Apr 12, 2001
68,132
38,889



100639-safari_autofill.jpg


As noted in the security documentation accompanying today's release, Safari 5.0.1 and 4.1.1 address an AutoFill security flaw disclosed last week that could allow a malicious site to obtain a user's Address Book information, including name, company affiliation, city/state/country, and email address.
Impact: Safari's AutoFill feature may disclose information to websites without user interaction

Description: Safari's AutoFill feature can automatically fill out web forms using designated information in your Mac OS X Address Book, Outlook, or Windows Address Book. By design, user action is required for AutoFill to operate within a web form. An implementation issue exists that allows a maliciously crafted website to trigger AutoFill without user interaction. This can result in the disclosure of information contained within the user's Address Book Card. To trigger the issue, the following two situations are required. First, in Safari Preferences, under AutoFill, the "Autofill web forms using info from my Address Book card" checkbox must be selected. Second, the user's Address Book must have a Card designated as "My Card". Only the information in that specific card is accessed via AutoFill. This issue is addressed by prohibiting AutoFill from using information without user action. Devices running iOS are not affected. Credit to Jeremiah Grossman of WhiteHat Security for reporting this issue.
Click to expand...
Grossman reported the issue to Apple on June 17th, but went public with his disclosure last week in order to alert customers after failing to receive significant response from Apple. After Grossman's public disclosure, Apple acknowledged the issue and promised that it was working on a fix.

Article Link: Safari 5.0.1 and 4.1.1 Address AutoFill Security Flaw
 
Article Link
https://www.macrumors.com/2010/07/28/safari-5-0-1-and-4-1-1-address-autofill-security-flaw/
They had to patch this quickly because it's so easy to exploit that someone was bound to do it at Black Hat.
 
I'm still confused how autofilling the form can give the site access to your data. UNless the data is submitted. Just typing data into a form field doesn't send the data to the server. Or does the site wait for it to be autofilled and then it triggers the submit itself?
 
griz said:
I'm still confused how autofilling the form can give the site access to your data. UNless the data is submitted. Just typing data into a form field doesn't send the data to the server. Or does the site wait for it to be autofilled and then it triggers the submit itself?
Click to expand...

I'm no web developer (Mac/iOS instead) but I'm pretty sure that you can get the user's typing before they submit a form. JavaScript events when the text field changed or something like that. Google does this, for instance, to show search results.
 
Awesome.

By the way, it's an issue with ALL browsers, not just Safari.

Where're the other vendor's browser security updates?
 
Quite a confusing headline there: "Safari 5.0.1 and 4.1.1 Address AutoFill Security Flaw"

Same in the first paragraph — especially when address and Address have two different meanings. Could you not just use recognise or warn of in place of address?

The readability of this site is fairly poor. Please employ a proper journalist.
 
iTeleport said:
Quite a confusing headline there: "Safari 5.0.1 and 4.1.1 Address AutoFill Security Flaw"

Same in the first paragraph — especially when address and Address have two different meanings. Could you not just use recognise or warn of in place of address?

The readability of this site is fairly poor. Please employ a proper journalist.
Click to expand...

I agree, it is indeed a very confusing title :(

edit. nm
 
Is this 'my card' a default thing that automatically writes user's contact details to it? Who would make a card with their own details and call it 'My Card'? Surely you'd use your own name so you can search with your initial rather than 'M' for 'My'
 
pdjudd said:
It deals with the issue - hence the usage of the word "address"
Click to expand...

Maybe deal with is a much better combination of words. From previous posts on here I know the security issue is to do with the Address Book — so reading "Address AutoFill Security Flaw" in this context does not sound right.
 
MrSmith said:
Is this 'my card' a default thing that automatically writes user's contact details to it? Who would make a card with their own details and call it 'My Card'? Surely you'd use your own name so you can search with your initial rather than 'M' for 'My'
Click to expand...

I think you've misunderstood. It's a feature of Address Book, not a card that's literally named "My Card."

mycard.jpg
 
I agree that this was a very difficult article to understand the way it was written. Address could have been replace with fix or corrected a problem.


Why couldn't Apple just employ a simple password to allow access to user info for autofill- at least provide that as an additional security option.
 
Nugget said:
I think you've misunderstood. It's a feature of Address Book, not a card that's literally named "My Card."

mycard.jpg
Click to expand...

Are you really the CTO of Flightaware? I love that site :D

So I guess this option can be rechecked now? Or should the card your using have less info, or only the info you want to give out? I typically use 1PassWord to fill in forms. More automation the better I say :)
 
What about Safari on iPhone?

Is the vulnerability still there on Safari browser in the iPhone?
 
Why does Apple wait until they are publicly humiliated before acknowledging security bugs like this? They really need to lighten up on this secrecy bulls**t, it's just irresponsible.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back