Safari AutoFill Security Issue Rears Its Head Once Again

[MacRumors]

Back in July, security researcher Jeremiah Grossman revealed a security issue that could allow malicious parties to take advantage of Safari's AutoFill feature to extract personal information from users' Address Book entries. At the time, Grossman reported that his report to Apple had gone essentially unacknowledged for nearly a month, but just six days later Apple released Safari 5.0.1 and 4.1.1 to address the problem.

Screenshot of Grossman's proof-of-concept test of new AutoFill exploit
Grossman now reports that he has discovered another similar AutoFill security issue that, while requiring the malicious party to trick users into providing a pair of keystrokes rather than being completely automated as in the previous exploit, offers an even more efficient means for users' personal information to be obtained.

To perform our attack requires tiny bit of end-user trickery. Two button presses to be precise. A malicious website detects (ie: IP address) the country the victim is from. For our purposes here we'll assume the "US." The attacker invisibly (CSS transparency) sets up the aforementioned form and forces the keystroke focus into the country element. Notice how this is done in the video on the right side of the screen, which only visible for demonstration purposes. Next the attacker entices the victim to type "U" (first character of "US") and then press "TAB." And BAM! That's it! Data stolen.

Grossman relates that he notified Apple of the newly-discovered exploit via email on August 10th and again a few days later. One week after that, he received a phone call from an Apple product security engineer with whom he had a "productive chat" about how the original vulnerability report from June had been handled, only to discover at the end of the conversation that the engineer had no idea that Grossman had reported the second issue a week and half prior.

As with the earlier exploit, users can protect themselves by simply turning off the AutoFill option to automatically populate forms with information from their Address Book cards. Grossman notes, however, that he is unsure how Apple plans to address the vulnerability while still maintaining the convenience of the AutoFill feature. While Apple's previous patch allowed Safari to automatically differentiate from the automated JavaScript-simulated keystrokes from real keystrokes, thus thwarting the original exploit, the new exploit relies on tricking the user into actually entering the necessary keystroke, a tactic that could be more difficult to address.

Article Link: Safari AutoFill Security Issue Rears Its Head Once Again

 

[skeep5]

aw crap. man i'm all depressed now. went from hey! there's a 7 inch ipad coming to hey! safari just sent all your info to bangladesh.

 

[Bleubird2]

Maybe it's time to just disable AutoFill until the security issues are completely fixed.

 

[vidyashankara]

simply use chrome...

 

[Darth.Titan]

Can someone please tell me how the ability to obtain my name and address is a huge security threat? They can grab a phone book and get a bunch of that kind of info with far less effort.

Not sure what the big deal is. It's not like the Address book info contains credit card and Social Security numbers.

 

[grapes911]

Why are people visiting these malicious sites anyway? To me the best security is to only go to respected, well-known sites. It's like walking though the bad part of the neighborhood at night. Bad things may happen.

 

[saving107]

Why are people visiting these malicious sites anyway? To me the best security is to only go to respected, well-known sites. It's like walking though the bad part of the neighborhood at night. Bad things may happen.

I agree with you, but as a pre-caution I tuned off Autofill from my Safari browser, Chrome Browser and Mobile Safari Browser a long time ago (before the story came out in June) just because I never trusted that feature.

 

[miles01110]

Why are people visiting these malicious sites anyway?

I think the implication was that this could be implanted onto an otherwise reputable site if it could be broken into.

Can someone please tell me how the ability to obtain my name and address is a huge security threat? They can grab a phone book and get a bunch of that kind of info with far less effort.

Because it ties your name and address to an IP address.

 

[owensd]

So let me get this straight... you have an autofill feature and you think it's a security bug because the user typed data into a cell that has focus, pressed tab to switch cells which triggers the auto-completion.

That is the entire point of auto-completion and is available in every browser.

The fact that it's on by default in Safari is where the potential problem exists.

 

[ChrisA]

This is not a Mac/PC thing or even a Safari issue. It applies to all browsers

The way any browser should handle auto fill is to NEVER write information to parts of the screen that cannot be seen. This means even if the windows is covered by another window.

Next it might be good if all browsers asked before they sent any data the user did not type in, himself by hand. Pop-ups are annoying but the auto fill process might add something that forces the user to verify that the information entered is correct and desired.

 

[Thinine]

Sounds like a pretty easy fix: don't autofill form elements that aren't visible to the user.

 

[baryon]

How about not allowing forms and text boxes to be invisible in CSS? That should fix it, and put the responsibility on the user.

 

[allpar]

"How about not allowing forms and text boxes to be invisible in CSS? That should fix it, and put the responsibility on the user."

That will screw up a LOT of sites that have good reason to have invisible forms and text boxes.

I do like the idea of "no AutoFill into hidden forms." Hard to implement with no "gotchas."

I also like the idea of a dialogue box -- "Do you want to autofill?" -- which would eliminate this issue entirely without killing functionality.

 

[ThunderSkunk]

Why are people visiting these malicious sites anyway? To me the best security is to only go to respected, well-known sites. It's like walking though the bad part of the neighborhood at night. Bad things may happen.

Wha?


???

 

[fredfnord]

There is an easy fix, but I don't know if Apple will like it

When Safari detects a form, put a little button (perhaps a circle with a capital A in it) in the form elements. If the user clicks it, do an autofill. If not, don't.

 

[baryon]

Why are people visiting these malicious sites anyway? To me the best security is to only go to respected, well-known sites. It's like walking though the bad part of the neighborhood at night. Bad things may happen.

So if the police said "just don't walk through the bad part of town" as a response to "what are you going to do against crime?", would you be satisfied?

 

[grapes911]

So if the police said "just don't walk through the bad part of town" as a response to "what are you going to do against crime?", would you be satisfied?

No, but don't be surprised that crime happens in that section of town. If it's known, then stay away.

 

[lkrupp]

Maybe it's time to just disable AutoFill until the security issues are completely fixed.

These security nerds won't be satisified until every feature that users find useful is disabled or crippled. I, for one, don't intend to hide under my bed because a bad guy might get me. I've been using a personal computer since 1982, starting with dial-up bulleting boards and getting on the internet as soon as it became possible for a non-educational user to do so. In all those 28 years I have never been "hacked" nor my system compromised. And I don't think it was dumb luck either. These guys are constantly crying wolf and declaring that the sky is falling. Just like anything else in this world it's really digital darwinism at work. The stupid ones die or make the rest of us pay for their stupidity.

 

[Blu101]

Why are people visiting these malicious sites anyway? To me the best security is to only go to respected, well-known sites. It's like walking though the bad part of the neighborhood at night. Bad things may happen.

Not all 6 billion people in the world can distinguish a good site from a bad site

Furthermore, advanced phishing scams now copy entire websites near perfect, and can only be distinguished by looking at the address on the browser, but again, your non-tech/non-web savvy 50 year old will never know the difference. He'll just be happy to think he's using paypal, and even happier with a feature like auto fill for his arthritis.

No, but don't be surprised that crime happens in that section of town. If it's known, then stay away.

Many times you don't know if "that section of town" is bad until you get there, and by the time your browser alerts you, it's already too late. Happened to my parents a few weeks back on their vista pc. $100 to fix.







Apple and other computer OS manufacurers should employ these hackers or invite them (with pay of course) to come and speak/educate on a regular basis. Pwn2wn works great at this, but just doesn't happen frequent enough IMO (what is it, just a once a year contest or something?).

 

[RMo]

Wouldn't a prompt to ask the user if they really want to do so take care of this situation? Granted, it's less convenient (but infinitely more so than having your data stolen), and a really malicious site could still trick a user into something like "Press Tab and then Enter (not Return)" if they happen to have that feature enabled (which Mozilla has taken care of with a mandatory delay), but maybe...

 

[ikir]

If you are stupid you don't have any protection agains these things. No software is secure against stupidity. Autofill is very handy imho.

 

[iSee]

So let me get this straight... you have an autofill feature and you think it's a security bug because the user typed data into a cell that has focus, pressed tab to switch cells which triggers the auto-completion.

That is the entire point of auto-completion and is available in every browser.

The fact that it's on by default in Safari is where the potential problem exists.

Yeah, I'm half way with you. The exploit requires that the user actually use the autocomplete feature. But the user would not understand that's what's happening. I guess apple could improve things by, e.g., not enabling autocomplete on fields that aren't readily visible... That would help but not necessarily eliminate the problem. Apple could prompt the user each time autocomplete is used... Though to me that kills the convenience of it. They could make prompting an option for people who want to give up some convenience for security.

 

[DavidLeblond]

Furthermore, advanced phishing scams now copy entire websites near perfect, and can only be distinguished by looking at the address on the browser

I wouldn't bet on even that.

http://mashable.com/2010/01/01/idn-phishing/

 

[Dammit Cubs]

auto fill is the worst thing to happen PERIOD.

I cringe every time a Credit card number shows up after autofill.

 

[inket]

Now they just have to make forms un-editable when hidden using CSS.