Safari Autofill Security Issue Permits Access to Personal Information

[chris.robison]

For now, I say "meh".

I love autofill. I use a computer for convenience. All the information that could be stolen is public domain* anyhow.

*Minus my email address

 

[aristotle]

This feature has been in there for a "long" time. Stop running around like chickens with your heads cut off.


If you don't want to use it, uncheck the box or alternatively be more selective of the websites you visit. There are similar features in firefox which you can turn on or off.

Start thinking for yourself and taking personal responsibility for your own actions.

I am sick of these fake lamer security "experts" getting their moment of fame for bringing up old stuff as if it was new. It's been there for years.

 

[ten-oak-druid]

grossman is well, GROSS

the autofill option is NOT turned on by default (not on any 5x of my apple products) ......... as he states........ or being quoted!

mass hysteria, or wanting attention?

I don't know. I just checked my preferences after seeing this article. The option for using the address book in autofill was checked in my preferences. I never set that myself. I turned it off for now until an update/fix.

 

[Azgar]

This isn't news. I expect better from MacRumors than to post such drivel. It's not a "flaw" and it's not limited to Safari.

 

[scooterbaga]

LastPass +1 Been using it for about a year now. Great, free, and easy to use. Works across my mac at home and my work PC.

 

[Stella]

+1 safari works great on all my mac stuff!

WHY BOTHER with firefox? updates every few weaks?

EISH......

Because some sites still don't work well with Safari. Having choice of browsers is a good thing. Whats wrong with updates? Firefox updates for you automatically.

 

[Jeremy1026]

Safari, QuickTime and iTunes are not "third-party software." And they are not "not in its operating system" - they ship with the OS.

Lost of stuff ships with the OS, but that doesn't make it part of the OS. Look at your typical Windows PC. The desktop is full of shyt out of the box, doesn't mean that all the bloatware is part of the OS.

You can remove iTunes, Safari, etc. with no ill effects. If you remove parts of the OS, you'd have problems.

 

[Nebulance]

Because some sites still don't work well with Safari. Having choice of browsers is a good thing. Whats wrong with updates? Firefox updates for you automatically.

actually I think Firefox is great -- it's still way faster than Safari too. However, I stick with Safari still because it lets me view *.pdf files in the browser -- Firefox <makes> you download it if you want to view it. That's annoying. And I haven't found out how to turn it off yet. Also -- firefox (to my knowledge) doesn't save your history beyond a day or so -- which is perplexing, especially when you find a site you need to look at a few days after the fact and don't remember the address...

 

[doug in albq]

I am going to come out and say this...

Safari Sucks.

Looks pretty, but it is not my girlfriend.

4 was better than 5 and 3 was better than 4.

I tried hard to really like Safari, but I cannot.

OK mobile browser, only because of no competition.

Poor desktop browser.

Want a real browser on the Mac—use Firefox.

 

[jimi78]

autofill no good

computers already make us lazy enough. i pass on autofill....oh and gas

 

[kazmac]

Glad and sad this came about

Glad that it's simple to fix, sad that it's something so darn obvious and it's uncertain if Apple has made a note of this.

I never use Autofill but I'll be checking this tonight.

 

[Stella]

actually I think Firefox is great -- it's still way faster than Safari too. However, I stick with Safari still because it lets me view *.pdf files in the browser -- Firefox <makes> you download it if you want to view it. That's annoying. And I haven't found out how to turn it off yet. Also -- firefox (to my knowledge) doesn't save your history beyond a day or so -- which is perplexing, especially when you find a site you need to look at a few days after the fact and don't remember the address...

Yup, the PDF handling is a PITA.

As for history - FF will store history for longer than a few days -
Preferences -> Privacy -> Remember my browsing history for at least <number of days> days.

Also, ensure "Remember search and form history" option is checked.

 

[ten-oak-druid]

This isn't news. I expect better from MacRumors than to post such drivel. It's not a "flaw" and it's not limited to Safari.

Don't worry. There will be another Verizon iphone rumor any day now.

 

[Awalp]

two thoughts and a half.

couldn't this be done with any browser on any operating system using auto-fill? If an attacker could invisibly mimic the auto-fill for credit card information and someone has bought something online and has default auto-fill settings. Anything purchased with a poorly designed credit card input system that allowed for the saving of the information could have their credit card numbers stolen through like the article said, an ad on a website being an invisible input form attack.

Is it not possibly for this to work with any browser on any OS? And even get credit card and more sensitive information than email addresses.

Also, before I thought about that I was going to ask if the iPad was similarly affected since it is Safari and all interconnected.

EDIT: THIS IS EASY!!!!!!! Too Easy !
and a half thought.... I see no reason why simulated keystrokes are needed for this attack. This is as simple as creating an input form that mimics stored data, and having the page automatically change/refresh to the form processing page/script.

 

[manu chao]

I don't know. I just checked my preferences after seeing this article. The option for using the address book in autofill was checked in my preferences. I never set that myself.

I think one reason for this could be that different versions of Safari might have had different default settings. Under which version of the OS (since mostly the version of Safari is coupled to the OS) you last did a clean install might thus determine what your default settings are.

 

[manu chao]

This isn't news. I expect better from MacRumors than to post such drivel. It's not a "flaw" and it's not limited to Safari.

So other browsers also are able to type into a text field without user input and thus trigger the autofill call?

 

[clientsiman]

Not an issue, Just don't use Autofill or even better don't use Safari at all.

 

[mdriftmeyer]

Mr. Grossman

If you're truly concerned, Mr. Grossman, one would expect you to contact the WebKit Project and submit your proof of concept directly to WebKit.

 

[g8k3pr]

Well...

I use Firefox 99% of the time. However, I did give the "proof-of-concept" site a try (after first examining the code of course) and on several Macs, iPhones and iPads with Safari installed. But, it did not seem to find any pre-filled data, at all. And I did have some stored data on all these devices. So, since all my devices are running the latest OS updates perhaps this the reason(?). Which, I might add, leads me to believe that the WebKit Framework may have been recently updated to deal with this exploit.

 

[diamond.g]

That proof of concept site does not work at all here >_>

I can't get it to "work" either.

 

[AppleMojo]

As an information security analyst... this is extremely old skewl and not a very complete post. I and others I know have used this technique for probably 7 or more years and I am sure we weren't the first to think of it either.

Also, he failed to realize that you can use hidden fields as well as mask fields to achieve the same goal.

Keep in mind, email addresses are not the true objective of this type of attack.

Having dozens of fields with the following names all hidden or masked is guaranteed to grab the data you are looking for as well as anything else you can think of.

cc
ccn
credit_card
cc1
ccnum
creditcard

security
code
secret

ssn
socialsecuritynumber
ssnumber

 

[AppleMojo]

This feature has been in there for a "long" time. Stop running around like chickens with your heads cut off.


If you don't want to use it, uncheck the box or alternatively be more selective of the websites you visit. There are similar features in firefox which you can turn on or off.

Start thinking for yourself and taking personal responsibility for your own actions.

I am sick of these fake lamer security "experts" getting their moment of fame for bringing up old stuff as if it was new. It's been there for years.

Exactly... info-sec has always been frustrating. About every 2 years a new wave of them roll in and rehash all of the low hanging security threats as if they were critical, simply because it's all they can comprehend at the moment.

 

[Master Chief]

If you're truly concerned, Mr. Grossman, one would expect you to contact the WebKit Project and submit your proof of concept directly to WebKit.

Because this has nothing to do with WebKit maybe?

I was expecting the cookie bug to be made public first; any website can wipe all your cookies

 

[chris.robison]

As an information security analyst... this is extremely old skewl and not a very complete post. I and others I know have used this technique for probably 7 or more years and I am sure we weren't the first to think of it either.

Also, he failed to realize that you can use hidden fields as well as mask fields to achieve the same goal.

Keep in mind, email addresses are not the true objective of this type of attack.

Having dozens of fields with the following names all hidden or masked is guaranteed to grab the data you are looking for as well as anything else you can think of.

cc
ccn
credit_card
cc1
ccnum
creditcard

security
code
secret

ssn
socialsecuritynumber
ssnumber

Couldn't you get all this without having autofill enabled anyhow?

Example:
I order some stuffs at some site, my browser remembers the form fields and text I put into the inputs.

Now something fishes for this and autofills. It may not matter if I have autofill from Address Book enabled. Right?

 

[Melle]

Because it can be done in the background without the user even knowing. The proof of concept displays it visually but it could easily be hidden so the user can't see it. (I expect it can also be sped up to scan more quickly, and they intentionally slowed it down for the demo.) Then it can be sent anywhere in the world without your permission.

Actually, I did a quick test with the PoC-code, and found two things:
1. It can't be sped up. Apparently the autofill has a half a second delay, meaning the keystroke also needs half a second per letter;
2. If the form-field is hidden by css, autofill doesn't work. Autofill seems to ONLY fill visible fields.

Knowing this… seems like quite a non-issue, to be honest. Only way this can be used is by having it visible on the page, and executing for quite a while before it finds the good stuff...