Safari 5.0.1 and 4.1.1 Address AutoFill Security Flaw

MacRumors

macrumors bot
Original poster
Apr 12, 2001
46,808
8,970





As noted in the security documentation accompanying today's release, Safari 5.0.1 and 4.1.1 address an AutoFill security flaw disclosed last week that could allow a malicious site to obtain a user's Address Book information, including name, company affiliation, city/state/country, and email address.
Impact: Safari's AutoFill feature may disclose information to websites without user interaction

Description: Safari's AutoFill feature can automatically fill out web forms using designated information in your Mac OS X Address Book, Outlook, or Windows Address Book. By design, user action is required for AutoFill to operate within a web form. An implementation issue exists that allows a maliciously crafted website to trigger AutoFill without user interaction. This can result in the disclosure of information contained within the user's Address Book Card. To trigger the issue, the following two situations are required. First, in Safari Preferences, under AutoFill, the "Autofill web forms using info from my Address Book card" checkbox must be selected. Second, the user's Address Book must have a Card designated as "My Card". Only the information in that specific card is accessed via AutoFill. This issue is addressed by prohibiting AutoFill from using information without user action. Devices running iOS are not affected. Credit to Jeremiah Grossman of WhiteHat Security for reporting this issue.
Grossman reported the issue to Apple on June 17th, but went public with his disclosure last week in order to alert customers after failing to receive significant response from Apple. After Grossman's public disclosure, Apple acknowledged the issue and promised that it was working on a fix.

Article Link: Safari 5.0.1 and 4.1.1 Address AutoFill Security Flaw
 

Shookster

macrumors regular
Feb 16, 2009
115
108
They had to patch this quickly because it's so easy to exploit that someone was bound to do it at Black Hat.
 

griz

macrumors 6502a
Dec 18, 2003
580
219
New London, NH
I'm still confused how autofilling the form can give the site access to your data. UNless the data is submitted. Just typing data into a form field doesn't send the data to the server. Or does the site wait for it to be autofilled and then it triggers the submit itself?
 

SlaunchaMan

macrumors member
Nov 2, 2007
30
44
Detroit, MI
I'm still confused how autofilling the form can give the site access to your data. UNless the data is submitted. Just typing data into a form field doesn't send the data to the server. Or does the site wait for it to be autofilled and then it triggers the submit itself?
I'm no web developer (Mac/iOS instead) but I'm pretty sure that you can get the user's typing before they submit a form. JavaScript events when the text field changed or something like that. Google does this, for instance, to show search results.
 

Consultant

macrumors G5
Jun 27, 2007
13,291
14
Awesome.

By the way, it's an issue with ALL browsers, not just Safari.

Where're the other vendor's browser security updates?
 

iTeleport

macrumors member
Jul 11, 2008
66
0
Quite a confusing headline there: "Safari 5.0.1 and 4.1.1 Address AutoFill Security Flaw"

Same in the first paragraph — especially when address and Address have two different meanings. Could you not just use recognise or warn of in place of address?

The readability of this site is fairly poor. Please employ a proper journalist.
 

madrag

macrumors 6502
Nov 2, 2007
351
55
Quite a confusing headline there: "Safari 5.0.1 and 4.1.1 Address AutoFill Security Flaw"

Same in the first paragraph — especially when address and Address have two different meanings. Could you not just use recognise or warn of in place of address?

The readability of this site is fairly poor. Please employ a proper journalist.
I agree, it is indeed a very confusing title :(

edit. nm
 

MrSmith

macrumors 68040
Nov 27, 2003
3,046
13
Is this 'my card' a default thing that automatically writes user's contact details to it? Who would make a card with their own details and call it 'My Card'? Surely you'd use your own name so you can search with your initial rather than 'M' for 'My'
 

iTeleport

macrumors member
Jul 11, 2008
66
0
It deals with the issue - hence the usage of the word "address"
Maybe deal with is a much better combination of words. From previous posts on here I know the security issue is to do with the Address Book — so reading "Address AutoFill Security Flaw" in this context does not sound right.
 

Nugget

macrumors 68000
Nov 24, 2002
1,828
741
Houston Texas USA
Is this 'my card' a default thing that automatically writes user's contact details to it? Who would make a card with their own details and call it 'My Card'? Surely you'd use your own name so you can search with your initial rather than 'M' for 'My'
I think you've misunderstood. It's a feature of Address Book, not a card that's literally named "My Card."

 

flyfish29

macrumors 68020
Feb 4, 2003
2,173
4
New HAMpshire
I agree that this was a very difficult article to understand the way it was written. Address could have been replace with fix or corrected a problem.


Why couldn't Apple just employ a simple password to allow access to user info for autofill- at least provide that as an additional security option.
 

csmitty

macrumors regular
Sep 15, 2007
241
0
I think you've misunderstood. It's a feature of Address Book, not a card that's literally named "My Card."

Are you really the CTO of Flightaware? I love that site :D

So I guess this option can be rechecked now? Or should the card your using have less info, or only the info you want to give out? I typically use 1PassWord to fill in forms. More automation the better I say :)
 

Xenu007

macrumors member
Mar 19, 2008
68
0
What about Safari on iPhone?

Is the vulnerability still there on Safari browser in the iPhone?
 

knightlie

macrumors 6502a
Feb 18, 2008
546
0
Why does Apple wait until they are publicly humiliated before acknowledging security bugs like this? They really need to lighten up on this secrecy bulls**t, it's just irresponsible.