Safari AutoFill Security Issue Rears Its Head Once Again

[noverflow]

You cant block all invisable textfields because type="hidden" is required for many sites to work. You often have information in there that would confuse users if visable.

And how can a browser determine a hidden field? You could have them all fine in css, then move them or hide them with javasctipt. You could position an element over then to hide them. You could have it really low on a page so no one sees it unless they scroll a lot (most users will not scroll to the bottom of a page right when they get there)

There are so many ways to hide them, I dont think you could block that.

I do like the idea of asking me if I want to auto complete though.


As for it being the users fault... We are apple users here, we use them because we dont believe the user should work for the computer. We think the computer should work for the user.

Also, you could easily have a game that required you to press tab and other keys, and auto focus a field so you wouldn't even know you had entered text into a field and then hit tab.

 

[alhedges]

Not all 6 billion people in the world can distinguish a good site from a bad site

Furthermore, advanced phishing scams now copy entire websites near perfect, and can only be distinguished by looking at the address on the browser, but again, your non-tech/non-web savvy 50 year old will never know the difference. He'll just be happy to think he's using paypal, and even happier with a feature like auto fill for his arthritis.

IME 50 year olds (which I'm not, yet, although I do hope to reach that age) are a lot more tech savvy than 18 year olds, since they've been using computers for their entire working life. While there does seem to be this idea among 20-somethings that computers were only recently invented, this is, in fact, not the case.

While you rarely see someone above the age of 22 in iPhone commercials, iPhone users skew older, too:

13-17 : 5%
18-24 : 13%
25-34 : 29%
35-54 : 36%
55 + : 17%

 

[iWonderwhy]

I don't care about security, just keep on releasing those updates that make Safari snappier

 

[longofest]

Apple is getting ridiculously lax with security. The second zero-day jailbreakme exploit, safari auto-fill keeps popping up, and then the news from the other day about the gaping hole in filesharing where you only had to know a username to authenticate (no password needed).

When is Apple going to have a come-to-Jesus moment and wake up regarding security?

 

[Blu101]

I wouldn't bet on even that.

http://mashable.com/2010/01/01/idn-phishing/

Wow! Yup, it's a never ending cat and mouse game. One more reason to love Web of Trust

 

[spillproof]

I don't know what you people are complaining about. Apple doesn't want to keep your information that private. They want it to deliver you the appropriate iAds when OS X goes ad based. Duh!

 

[Blu101]

IME 50 year olds (which I'm not, yet, although I do hope to reach that age) are a lot more tech savvy than 18 year olds, since they've been using computers for their entire working life. While there does seem to be this idea among 20-somethings that computers were only recently invented, this is, in fact, not the case.

While you rarely see someone above the age of 22 in iPhone commercials, iPhone users skew older, too:

Didn't mean any pun towards you and any other computer savvy older than 20 something (I'm also older than 20 something btw). I was just using that to refer to many in my parents' generation that did not grow up using computers and don't use them for work (just web browsing/online shopping). And this doesn't mean my parents (and others like them) are idiots - they're not, it just means they lack the basic computer knowledge we often take for granted when we see news like this. And as I get older, I myself have begun to notice how big a pain (and time consuming) it's becoming to stay on top of these things. It's always a cat and mouse game, nothing we can do about that, but one can hope that the OS developers get off their a** one day and speed up the process of identifying and patching these holes. I mean, c'mon: "...only to discover at the end of the conversation that the engineer had no idea that Grossman had reported the second issue a week and half prior..." - clearly there's some room for improvement in that process.

 

[Blu101]

I don't know what you people are complaining about. Apple doesn't want to keep your information that private. They want it to deliver you the appropriate iAds when OS X goes ad based. Duh!

Nothing compared to facebook and maybe even google

 

[Ed91]

Now they just have to make forms un-editable when hidden using CSS.

Except that not visible it not the same as invisible (i.e. 'hidden' using css). Imagine the video in the demonstration with an image/object obscuring the form. That would be difficult to detect.. I think the only real answer to this is to make it user initiated with an autofill button that appears inline with the form.

 

[bobr1952]

This one seems pretty silly compared to the last one. I think using the same common sense tools one uses to avoid trojans would be the best course of action.

 

[PlayUltimate]

. . .but again, your non-tech/non-web savvy 50 year old will never know the difference. He'll just be happy to think he's using paypal, and even happier with a feature like auto fill for his arthritis.

Don't be bashing on 50 yr olds.
(not quite 50, but I've been using PCs for over 30 yrs!)

You would have been safe with just non-tech savvy.

 

[morespce54]

So let me get this straight... you have an autofill feature and you think it's a security bug because the user typed data into a cell that has focus, pressed tab to switch cells which triggers the auto-completion.

That is the entire point of auto-completion and is available in every browser.

The fact that it's on by default in Safari is where the potential problem exists.

Well, the deal is about form/box/field/etc. that are invisible to the user. Thus firing an action that is not intended by the user.

How about not allowing forms and text boxes to be invisible in CSS? That should fix it, and put the responsibility on the user.

Not possible unless you screw a bunch of perfectly usable legitimate functions from the W3C conventions. Therefore eliminate the "holy cross-browsing compatibility" that IE is still trying to catch on.

 

[Westside guy]

How about not allowing forms and text boxes to be invisible in CSS? That should fix it, and put the responsibility on the user.

Doing this would pretty much break the Document Object Model, for one thing. It's introducing a lot of complexity.

A better way would be (as someone already mentioned) require some sort of user confirmation before auto-filling a form. I don't believe, given many peoples' behavior on the web, it'd actually work though.

 

[manu chao]

Why are people visiting these malicious sites anyway? To me the best security is to only go to respected, well-known sites.

I gather you have never used Google (or any other search engine). Or you only click on the results if you know the URL to be reputable? And reputable sites never get hacked or use an advertiser that gets hacked?

 

[matthewjacob]

Rember that report Jobs pointed out showing the vulnerabilities in Flash?

Then remember when that same report showed Quicktime has significantly more vulnerabilities?

And it was hilarious when that same report showed Apple's vulnerabilities went unpatched for significantly longer than Adobes.

And don't forget the latest gaping security hole in AFP.

Then there was the previous unacknowledged for over a month unpatched AutoFill exploit.

Maybe the Safari security team just auto-routes this guys emails to their junk folder. I mean you'd think that if someone discovered your projects biggest security flaw ever you'd have the guy on speed dial.

 

[Bleubird2]

These security nerds won't be satisified until every feature that users find useful is disabled or crippled. I, for one, don't intend to hide under my bed because a bad guy might get me. I've been using a personal computer since 1982, starting with dial-up bulleting boards and getting on the internet as soon as it became possible for a non-educational user to do so. In all those 28 years I have never been "hacked" nor my system compromised. And I don't think it was dumb luck either. These guys are constantly crying wolf and declaring that the sky is falling. Just like anything else in this world it's really digital darwinism at work. The stupid ones die or make the rest of us pay for their stupidity.

Sorry, I wasn't very clear. I have almost always had autofill disabled. I like to know what information is being inputted (is that a word or spelled correctly, I don't know) and where. That's my preference. I also don't let my computer store passwords for the same reasons, I just prefer it that way. You can't be too careful.

 

[Blu101]

You would have been safe with just non-tech savvy.

That's exactly what I meant. Couldn't find the right words earlier

 

[honem]

I wouldn't bet on even that.

http://mashable.com/2010/01/01/idn-phishing/

They covered that on tuaw.com

Apparently one of the managers of ICANN made the comment on an article pointing out the example he used isn't possible. "L" is written in Cyrillic as an upside V for one thing. Some characters also can't be used in a domain name.

I'm at work so can't really do a lot of research on it but this was in the comments of that article you linked :

Hi christina, thanks for making the correction note on the article. Please note further that just because a "character" exists in Unicode does not make it available for use in domain names. Several characters are what we call DISALLOWED in the IDNA protocol. All domain names need to be valid in accordance with the IDNA protocol in order for the domain name to be registered and resolvable. Adding on top of the protocol comes the IDN Guidelines, where the non-script/language mixing rule sits and is enforced by a contractual relationship with ICANN, and more rules and requirements goes on to of that.

As mentioned in my previous comment to your article - if you are interested in writing about security and IDns, which indeed is an important topic, then please contact me and I will guide you through how all this works, whats in place, and what else needs to be done and we move forward. I will probably also suggest that you talk to others, for example security experts. Not doing so is quite disrespectful to people that have spend years of voluntary work on IDNs, to make it work so weel that we are able to make the introduction at the top level. I also find it rude towards your readers that have needed IDNs at the top level for years.....imagine if all domain names were in arabic characters and you for years had to find a way to type arabic domian names on your latin-based keyboard. Then when latin was introduced in the domain name it got slashed by an arabic writing reporter...not fully understanding the technology and mechnisms.....not nice.

I know you just re-reported what was said in the times online - but that does not make it right, and because your article is read and re-tweeted by so many it actually cause a lot of damage. I spend all day yesterday and today fixing the issues, replying to people that contacted me because they read your story and freaked out. Its going to run for a few more days - sometimes this takes weeks. And its not that i mind doing the clean-up work, but it takes away time from what i really should be doing: real IDN work, such as helping counties that need support to get their language supported in the DNS, evaluations of applications, revision of the Guidelines to make them stringer, and so on...

So I'm around if you want to understand this better.

Tina Dam
Sr. Director, IDNs
ICANN

As opposed to just making comments about ICANN and what we do or do not do - I relally wish you would have called or emailed and asked.

You say: As of right now, ICANN hasn’t instituted any policies of trying to protect these kinds of situations, meaning it might be that much more difficult for even normally cautious users to avoid being scammed.

This is wrong. The rule for mixing scripts was put in place years ago and as such the type of example you are using is no longer a problem and has not been for a long time......

If you are interested in a review of what are the past problems, how have they been solved and what do we need to do looking forward, please call.

Tina Dam
Sr. Director, IDNs
ICANN

Also these are interesting :

http://www.pbs.org/weta/faceofrussia/reference/cyrillic.html
http://en.wikipedia.org/wiki/IDN_homograph_attack

 

[Kristenn]

Who seriously uses Autofill anyway? I never set it up. Why? Because I can remember my username and passwords. I can also type faster than a 6 year old. I can take the extra seven seconds of my precious life on this earth to type in a user name and a password. For example, this post took a measly minute and 9 seconds to type. Should the bug be fixed? Yes. But why do people even USE Autofill? I never have.

 

[dotnsk]

Who seriously uses Autofill anyway? I never set it up. Why? Because I can remember my username and passwords. I can also type faster than a 6 year old. I can take the extra seven seconds of my precious life on this earth to type in a user name and a password. For example, this post took a measly minute and 9 seconds to type. Should the bug be fixed? Yes. But why do people even USE Autofill? I never have.

I don't use Autofill for credit card numbers or passwords (both of which seem like silly ideas to me), but I DO use it for my name and address. It's good when shopping online or filling out the endless forms my university needs every other month to know that I've at LEAST typed in my name and address correctly.

Each person assumes a certain amount of risk when they're online. My name and address are readily available in the phonebook. I don't receive spam in either email account listed on my Address Book card (from which Safari autofills). I do my security patches and am diligent about where I travel on the web.

I guess my point is...don't be so dismissive about autofill. It's actually pretty helpful! I understand why people don't use it, but it has saved me quite a bit of time, especially recently.

 

[Slix]

Another reason why I don't use AutoFill. Typing in the same username once in a while is not a hard thing to do guys.

 

[pooryou]

You can use 1Password to do this and then you decide when the info is autofilled or not.

 

[Fluk3]

no

simply use chrome...

no