Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Safari Autofill Security Issue Permits Access to Personal Information

MacRumors

MacRumors

macrumors bot
Original poster
Apr 12, 2001
70,337
41,946



115714-safari_autofill.jpg


Earlier this week, The Register detailed a security vulnerability found in Apple's Safari Autofill feature that could enable malicious websites to extract users' personal information from their Address Book entries. The security researcher, Jeremiah Grossman of WhiteHat Security, followed up with a blog post yesterday detailing the exploit and offering a proof of concept webpage allowing users to see if they are vulnerable.

The vulnerability arises from Address Book's usage of simple form text fields to store the user's personal information, paired with Safari's ability to automatically grab that information through its Autofill feature to assist users with filling out web forms.
All a malicious website would have to do to surreptitiously extract Address Book card data from Safari is dynamically create form text fields with the aforementioned names, probably invisibly, and then simulate A-Z keystroke events using JavaScript. When data is populated, that is AutoFill'ed, it can be accessed and sent to the attacker.
Click to expand...
For some reason, fields that begin with numbers such as phone numbers and street addresses are not subject to this vulnerability. A user's name, company affiliation, city/state/country, and email addresses can, however, typically be accessed.
Still, such attacks could be easily and cheaply distributed on a mass scale using an advertising network where likely no one would ever notice because it's not exploit code designed to deliver rootkit payload. In fact, there is no guarantee this has not already taken place. What is safe to say is that this vulnerability is so brain dead simple that I assumed someone else must have publicly reported it already, but exhaustive searches and asking several colleagues turned up nothing.
Click to expand...
Grossman reports that he submitted information on the vulnerability to Apple on June 17th, but has received nothing more than an automatic acknowledgement of his submission despite an attempted follow-up. Consequently, Grossman is making public disclosure of the vulnerability so that users can take steps to protect themselves by disabling the Autofill feature, which is turned on by default.

Article Link: Safari Autofill Security Issue Permits Access to Personal Information
 
Article Link
https://www.macrumors.com/2010/07/22/safari-autofill-security-issue-permits-access-to-personal-information/
seven2k7 said:
http://arstechnica.com/security/news/2010/07/apple-the-new-world-leader-in-software-insecurity.ars
Click to expand...

Though this does not necessarily mean that Apple's software is the most insecure in practice—the report takes no consideration of the severity of the flaws—it points at a growing trend in the world of security flaws: the role of third-party software. Many of Apple's flaws are not in its operating system, Mac OS X, but rather in software like Safari, QuickTime, and iTunes. Vendors like Adobe (with Flash and Adobe Reader) and Oracle (with Java) are similarly responsible for many of the flaws being reported.
 
Been using lastpass on Leo laporte and Steve gibsons recommendation as the only one they trust and it turns off autofill when you install and then uses it's own encrypted autofill.
 
Corrosive vinyl said:
+1 on not using auto fill.

Why are there so many security vulnerabilities showing up all at once for :apple:?
Click to expand...

There aren't that many for the operating system itself, it is mostly the third-party software programs that are causing problems.
 
Just disabled it.... Only using Safari anyways since I haven't DL Firefox yet:p

Then again, the address on this MBP is empty since I haven't synced it yet to my Mini.
 
Another prime example that Apple has a huge hurdle to cross to become as security safe as they alleged. Security through obscurity is slowly dwindeling.
 
Firefox FTW.

plus i simply cannot surf without using the AdBlock extension (every time i use Safari on iPhone i'm reminded of why..)
 
Actually, this was something I wondered about.
The email address that the proof of concept web page came up with is a MM alias I rarely use. The last couple of weeks I received 5 or 6 spams to that address. I wondered where they got it from as I rarely used it.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back