Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Safari Autofill Security Issue Permits Access to Personal Information

That proof of concept site does not work at all here >_>

Searching "name":
Searching "company":
Searching "city":
Searching "state":
Searching "country":
Searching "email":
Click to expand...
 
How is this a security vulnerability? If you use the autofill feature, you are allowing your infos to be public, no?

Unless html5 comes with a system of security certificates to do users i/o, I don't see how this is a safari specific vulnerability. If other browers offered autofill, it would be the same situation right?

If I'm wrong please someone enlighten me :)
 
Works on Chrome Too

I tried the proof of concept and it pulls my autofill data from Chrome as well. So maybe it's not just a Safari bug.
 
mauree said:
How is this a security vulnerability? If you use the autofill feature, you are allowing your infos to be public, no?

Unless html5 comes with a system of security certificates to do users i/o, I don't see how this is a safari specific vulnerability. If other browers offered autofill, it would be the same situation right?

If I'm wrong please someone enlighten me :)
Click to expand...

Most users probably don't expect the feature to work that way.

Autocomplete is designed to save me keystrokes on typing the same exact data over and over, BUT I expect to have control over who that data gets sent to.

This exploit allows any page you visit to cull that info without the user authorizing it or taking any action.
 
gloomcookie1 said:
Though this does not necessarily mean that Apple's software is the most insecure in practice—the report takes no consideration of the severity of the flaws—it points at a growing trend in the world of security flaws: the role of third-party software. Many of Apple's flaws are not in its operating system, Mac OS X, but rather in software like Safari, QuickTime, and iTunes. Vendors like Adobe (with Flash and Adobe Reader) and Oracle (with Java) are similarly responsible for many of the flaws being reported.
Click to expand...

Safari, QuickTime and iTunes are not "third-party software." And they are not "not in its operating system" - they ship with the OS.
 
savar said:
There's nothing in the blog post about passwords. Where did you get that from?
Click to expand...
1Password will also fill in different "identities" for you. I have one for "Home" and another for "Work" which use the 1Password database. Not my Address Book card, so I turned of autocomplete from Address Book, and use 1Password to fill in name/address/etc when needed.
 
WiiDSmoker said:
Another prime example that Apple has a huge hurdle to cross to become as security safe as they alleged. Security through obscurity is slowly dwindeling.
Click to expand...

I agree. People can knock Microsoft all they want, but they do have a standard security patch release cycle that I would like Apple to replicate in at least some form. I don't care if windows is more vulnerable; it's a fact that Macs are not 100% secure for all users (yes, MR users will go and disable this feature in Safari, but what about the majority of non-tech people?) It's rather unsettling to hear of multiple reports like this where Apple has sat on vulnerabilities for an extended period of time, especially when it sounds like the fix isn't very dificult to implement.

And I use only Mac at home, etc. so I'm not a Microsoft supporter; I know all too well that Microsoft has many things to improve in their patch process. I agree 100% that Mac is simply a better experience, I'm simply commenting on the two company's response to security issues.
 
mauree said:
How is this a security vulnerability? If you use the autofill feature, you are allowing your infos to be public, no?

Unless html5 comes with a system of security certificates to do users i/o, I don't see how this is a safari specific vulnerability. If other browers offered autofill, it would be the same situation right?

If I'm wrong please someone enlighten me :)
Click to expand...

My thought exactly. How is it different from going on to a malicious website and manually typing your details? :confused:
 
grossman is well, GROSS

the autofill option is NOT turned on by default (not on any 5x of my apple products) ......... as he states........ or being quoted!

mass hysteria, or wanting attention? :(
 
The question on my mind is "Why is it possible to simulate keystrokes using JavaScript?". To me that's the security problem. Can somebody point me to a website that uses this JS simulated keystroke feature in a useful way?

Apple, if you are reading this, please add an "Allow JavaScript to simulate keystrokes" checkbox under the Security Tab.
 
RalfTheDog said:
Safari. Just use Firefox and you are safer than Windows and almost as safe as Linux.
Click to expand...

Safari is pretty solid, fast and secure. Don't be fooled by a some security issues, about all browsers have/had these kinds of problem. Also Safari's webkit engine is even superior to Gecko (Firefox) which is already great.
 
PurdueGuy said:
1Password will also fill in different "identities" for you. I have one for "Home" and another for "Work" which use the 1Password database. Not my Address Book card, so I turned of autocomplete from Address Book, and use 1Password to fill in name/address/etc when needed.
Click to expand...

Ahh. I own 1Password and didn't even think about that :)

AdeFowler said:
My thought exactly. How is it different from going on to a malicious website and manually typing your details? :confused:
Click to expand...

Because it can be done in the background without the user even knowing. The proof of concept displays it visually but it could easily be hidden so the user can't see it. (I expect it can also be sped up to scan more quickly, and they intentionally slowed it down for the demo.) Then it can be sent anywhere in the world without your permission.

If you combine this with a cross-site scripting attack, you could embed the code on somebody else's website and start stealing data about who visits your website and what company they work at, etc.
 
ikir said:
Safari is pretty solid, fast and secure. Don't be fooled by a some security issues, about all browsers have/had these kinds of problem. Also Safari's webkit engine is even superior to Gecko (Firefox) which is already great.
Click to expand...


+1 safari works great on all my mac stuff!

WHY BOTHER with firefox? updates every few weaks?

EISH......
 
savar said:
Most users probably don't expect the feature to work that way.

Autocomplete is designed to save me keystrokes on typing the same exact data over and over, BUT I expect to have control over who that data gets sent to.

This exploit allows any page you visit to cull that info without the user authorizing it or taking any action.
Click to expand...

Thanks Savar, you did put things in perspective. But I maintain that it's not an "exploit", but a feature (granted, a dangerous one), and one not specific to Safari. Short term, you can make users aware of that with a warning sign before checking that box.

I can't think of a long term secure solution to this that would not take away the coolness of autofill.
 
Before people start spreading FUD and claim that Firefox isn't vulnerable:
theregister.co.uk/2010/07/20/browser_info_disclosure_weaknesses/ said:
...uncovered flaws in Mozilla Firefox and Google Chrome that can expose passwords stored by the browsers...
Click to expand...
Although that does require XSS to work.
 
Assuming autofill is a desired feature, then the eventual fix might be to not allow a web site to automate key strokes. Are there legitimate uses of automated keystrokes? Would the functionality of some sites be reduced if they couldn't automate keystrokes?

Perhaps the answer is to limit automated keystrokes to certain types of fields?
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back