Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

Safari AutoFill Security Issue Rears Its Head Once Again

MacRumors

macrumors bot
Original poster
Apr 12, 2001
50,441
11,827
https://www.macrumors.com/images/macrumorsthreadlogodarkd.png

Back in July, security researcher Jeremiah Grossman revealed a security issue that could allow malicious parties to take advantage of Safari's AutoFill feature to extract personal information from users' Address Book entries. At the time, Grossman reported that his report to Apple had gone essentially unacknowledged for nearly a month, but just six days later Apple released Safari 5.0.1 and 4.1.1 to address the problem.




Screenshot of Grossman's proof-of-concept test of new AutoFill exploit
Grossman now reports that he has discovered another similar AutoFill security issue that, while requiring the malicious party to trick users into providing a pair of keystrokes rather than being completely automated as in the previous exploit, offers an even more efficient means for users' personal information to be obtained.
To perform our attack requires tiny bit of end-user trickery. Two button presses to be precise. A malicious website detects (ie: IP address) the country the victim is from. For our purposes here we'll assume the "US." The attacker invisibly (CSS transparency) sets up the aforementioned form and forces the keystroke focus into the country element. Notice how this is done in the video on the right side of the screen, which only visible for demonstration purposes. Next the attacker entices the victim to type "U" (first character of "US") and then press "TAB." And BAM! That's it! Data stolen.
Grossman relates that he notified Apple of the newly-discovered exploit via email on August 10th and again a few days later. One week after that, he received a phone call from an Apple product security engineer with whom he had a "productive chat" about how the original vulnerability report from June had been handled, only to discover at the end of the conversation that the engineer had no idea that Grossman had reported the second issue a week and half prior.

As with the earlier exploit, users can protect themselves by simply turning off the AutoFill option to automatically populate forms with information from their Address Book cards. Grossman notes, however, that he is unsure how Apple plans to address the vulnerability while still maintaining the convenience of the AutoFill feature. While Apple's previous patch allowed Safari to automatically differentiate from the automated JavaScript-simulated keystrokes from real keystrokes, thus thwarting the original exploit, the new exploit relies on tricking the user into actually entering the necessary keystroke, a tactic that could be more difficult to address.

Article Link: Safari AutoFill Security Issue Rears Its Head Once Again
 

skeep5

macrumors 6502a
Mar 16, 2006
560
0
AZ
aw crap. man i'm all depressed now. went from hey! there's a 7 inch ipad coming to hey! safari just sent all your info to bangladesh. :rolleyes:
 
Comment

Bleubird2

macrumors member
Apr 2, 2010
34
0
Maybe it's time to just disable AutoFill until the security issues are completely fixed.
 
Comment

Darth.Titan

macrumors 68030
Oct 31, 2007
2,766
480
Austin, TX
Can someone please tell me how the ability to obtain my name and address is a huge security threat? They can grab a phone book and get a bunch of that kind of info with far less effort.

Not sure what the big deal is. It's not like the Address book info contains credit card and Social Security numbers. :confused:
 
Comment

grapes911

Moderator emeritus
Jul 28, 2003
6,994
3
Citizens Bank Park
Why are people visiting these malicious sites anyway? To me the best security is to only go to respected, well-known sites. It's like walking though the bad part of the neighborhood at night. Bad things may happen.
 
Comment

saving107

macrumors 603
Oct 14, 2007
6,376
14
San Jose, Ca
Why are people visiting these malicious sites anyway? To me the best security is to only go to respected, well-known sites. It's like walking though the bad part of the neighborhood at night. Bad things may happen.

I agree with you, but as a pre-caution I tuned off Autofill from my Safari browser, Chrome Browser and Mobile Safari Browser a long time ago (before the story came out in June) just because I never trusted that feature.
 
Comment

miles01110

macrumors Core
Jul 24, 2006
19,261
31
The Ivory Tower (I'm not coming down)
Why are people visiting these malicious sites anyway?

I think the implication was that this could be implanted onto an otherwise reputable site if it could be broken into.

Can someone please tell me how the ability to obtain my name and address is a huge security threat? They can grab a phone book and get a bunch of that kind of info with far less effort.

Because it ties your name and address to an IP address.
 
Comment

owensd

macrumors newbie
Feb 6, 2007
10
0
So let me get this straight... you have an autofill feature and you think it's a security bug because the user typed data into a cell that has focus, pressed tab to switch cells which triggers the auto-completion.

That is the entire point of auto-completion and is available in every browser.

The fact that it's on by default in Safari is where the potential problem exists.
 
Comment

ChrisA

macrumors G4
Jan 5, 2006
11,734
504
Redondo Beach, California
This is not a Mac/PC thing or even a Safari issue. It applies to all browsers

The way any browser should handle auto fill is to NEVER write information to parts of the screen that cannot be seen. This means even if the windows is covered by another window.

Next it might be good if all browsers asked before they sent any data the user did not type in, himself by hand. Pop-ups are annoying but the auto fill process might add something that forces the user to verify that the information entered is correct and desired.
 
Comment

Thinine

macrumors newbie
Jul 23, 2002
24
0
Sounds like a pretty easy fix: don't autofill form elements that aren't visible to the user.
 
Comment

baryon

macrumors 68040
Oct 3, 2009
3,575
1,673
How about not allowing forms and text boxes to be invisible in CSS? That should fix it, and put the responsibility on the user.
 
Comment

allpar

macrumors 6502
May 20, 2002
321
67
"How about not allowing forms and text boxes to be invisible in CSS? That should fix it, and put the responsibility on the user."

That will screw up a LOT of sites that have good reason to have invisible forms and text boxes.

I do like the idea of "no AutoFill into hidden forms." Hard to implement with no "gotchas."

I also like the idea of a dialogue box -- "Do you want to autofill?" -- which would eliminate this issue entirely without killing functionality.
 
Comment

fredfnord

macrumors regular
Sep 9, 2007
127
19
There is an easy fix, but I don't know if Apple will like it

When Safari detects a form, put a little button (perhaps a circle with a capital A in it) in the form elements. If the user clicks it, do an autofill. If not, don't.
 
Comment

baryon

macrumors 68040
Oct 3, 2009
3,575
1,673
Why are people visiting these malicious sites anyway? To me the best security is to only go to respected, well-known sites. It's like walking though the bad part of the neighborhood at night. Bad things may happen.

So if the police said "just don't walk through the bad part of town" as a response to "what are you going to do against crime?", would you be satisfied?
 
Comment

lkrupp

macrumors 65816
Jul 24, 2004
1,073
1,646
Maybe it's time to just disable AutoFill until the security issues are completely fixed.

These security nerds won't be satisified until every feature that users find useful is disabled or crippled. I, for one, don't intend to hide under my bed because a bad guy might get me. I've been using a personal computer since 1982, starting with dial-up bulleting boards and getting on the internet as soon as it became possible for a non-educational user to do so. In all those 28 years I have never been "hacked" nor my system compromised. And I don't think it was dumb luck either. These guys are constantly crying wolf and declaring that the sky is falling. Just like anything else in this world it's really digital darwinism at work. The stupid ones die or make the rest of us pay for their stupidity.:mad:
 
Comment

Blu101

macrumors 6502a
Sep 10, 2010
562
0
Why are people visiting these malicious sites anyway? To me the best security is to only go to respected, well-known sites. It's like walking though the bad part of the neighborhood at night. Bad things may happen.

Not all 6 billion people in the world can distinguish a good site from a bad site :rolleyes:

Furthermore, advanced phishing scams now copy entire websites near perfect, and can only be distinguished by looking at the address on the browser, but again, your non-tech/non-web savvy 50 year old will never know the difference. He'll just be happy to think he's using paypal, and even happier with a feature like auto fill for his arthritis.

No, but don't be surprised that crime happens in that section of town. If it's known, then stay away.

Many times you don't know if "that section of town" is bad until you get there, and by the time your browser alerts you, it's already too late. Happened to my parents a few weeks back on their vista pc. $100 to fix.







Apple and other computer OS manufacurers should employ these hackers or invite them (with pay of course) to come and speak/educate on a regular basis. Pwn2wn works great at this, but just doesn't happen frequent enough IMO (what is it, just a once a year contest or something?).
 
Comment

RMo

macrumors 65816
Aug 7, 2007
1,220
215
Iowa, USA
Wouldn't a prompt to ask the user if they really want to do so take care of this situation? Granted, it's less convenient (but infinitely more so than having your data stolen), and a really malicious site could still trick a user into something like "Press Tab and then Enter (not Return)" if they happen to have that feature enabled (which Mozilla has taken care of with a mandatory delay), but maybe...
 
Comment

ikir

macrumors 65816
Sep 26, 2007
1,469
974
If you are stupid you don't have any protection agains these things. No software is secure against stupidity. Autofill is very handy imho.
 
Comment

iSee

macrumors 68040
Oct 25, 2004
3,526
253
So let me get this straight... you have an autofill feature and you think it's a security bug because the user typed data into a cell that has focus, pressed tab to switch cells which triggers the auto-completion.

That is the entire point of auto-completion and is available in every browser.

The fact that it's on by default in Safari is where the potential problem exists.
Yeah, I'm half way with you. The exploit requires that the user actually use the autocomplete feature. But the user would not understand that's what's happening. I guess apple could improve things by, e.g., not enabling autocomplete on fields that aren't readily visible... That would help but not necessarily eliminate the problem. Apple could prompt the user each time autocomplete is used... Though to me that kills the convenience of it. They could make prompting an option for people who want to give up some convenience for security.
 
Comment

Dammit Cubs

macrumors 68000
Jul 31, 2007
1,959
525
auto fill is the worst thing to happen PERIOD.

I cringe every time a Credit card number shows up after autofill.
 
Comment

inket

macrumors regular
Dec 23, 2009
142
39
Now they just have to make forms un-editable when hidden using CSS.
 
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.