Safari AutoFill Exploit Raises Privacy Concerns

ByMike Moffit

Earlier in the week, Jeremiah Grossman of WhiteHat Security reported a major security vulnerability in Safari. This vulnerability stems from the “AutoFill web forms” function, which is enabled by default in the browser’s preferences.

Ordinarily, this feature is intended to save users time by auto-completing forms using data from the Address Book. Grossman reports that a malicious website could theoretically pull data from a user’s address book card, capture it, and invisibly send it to an attacker. The privacy breach would happen without the user’s knowledge, and would not require him/her to input any text or follow any links. By merely visiting a malicious page, users could put their privacy at risk.

This AutoFill exploit can capture the user’s name, city, state, country, company, and email address. However, it cannot be used to capture numeric data such as phone numbers or street addresses. Regardless of the information at risk, any unsolicited attempt to obtain a user’s private information is something to be wary of.

Grossman has posted a safe proof of concept website here which indicates whether or not you are at risk. Thankfully, the temporary fix is an easy one. Simply visit: Safari > Preferences > AutoFill, and uncheck the box labeled “Using info from my Address Book card.” Grossman has submitted this vulnerability to Apple, and hopefully a fix will be provided in the next Security Update or the next revision of Safari.

Similar Posts

  • iPhone 4 on Verizon

    Apple today announced a partnership with Verizon Wireless which will officially bring the iPhone 4 to the carrier’s network. Lowell McAdam, President and…

  • 32GB iPod touch Announced!

    This morning Apple announced a 32GB iPod touch which will add to the iPod touch lineup. It includes all the great features of…

  • Apple Issues Quiet Update to Time Capsule

    Apple today updated its line of Time Capsule wireless routers. Eliminating the previously baseline 1TB model, the higher end 2TB version has taken…

  • Apple Releases Safari 5

    With Apple’s announcement of the revolutionary iPhone 4 yesterday, it would be easy to overlook the release of Safari 5 that coincided with it. While certainly not as glamorous as Apple’s latest device, the newest version of Safari does bring some changes that will give it a serious leg up in the browser wars.

    Performance is easily the biggest deciding factor when choosing a browser, and Apple has upgraded Safari with a faster “Nitro” engine to keep themselves ahead of the game. Apple claims Safari 5 will run JavaScript 30 percent faster than Safari 4, 3 percent faster than Chrome 5.0 and more than twice as fast as Firefox 3.6.

    In addition to significant speed boosts, Safari 5 also includes the Safari Reader. This utility automatically detects if you are browsing a page with an article on it, and allows you to view it in a continuous and clutter-free manner. To enable Safari Reader, simply navigate to an applicable page and click the Reader icon in the Smart Address Field. Upon doing so, onscreen controls, similar to those seen when viewing a PDF, will appear and let you email, print, and zoom. Safari Reader even saves text settings so font size is the same if you revisit the page.

    Though not apparent by simply glancing at the UI, Safari 5 also includes a robust set of HTML5 tweaks under the hood. The new browser brings over a dozen new features including full-screen mode and closed captioning for HTML5 video as well as HTML5 geolocation. To view some examples of the HTML5 web standard in action, check out Apple’s showcase of demos here.

    Other more subtle refinements include DNS prefetching and improved catching. DNS prefetching means that if you are viewing a web page with links, Safari detects them and looks them up behind the scenes. When you click a link, the page loads faster as a result. A web cache is essentially an index of pages previously viewed. Since Safari 5’s cache has been expanded, more pages fit into it and load faster upon being revisited.

    Appending the aforementioned features are other upgrades such as a smarter address field, integrated Bing search, hardware acceleration for Windows and an improved web inspector. Safari 5 is available today, and is a free download for Mac + PC. Download it here.

  • New iTunes 8!

    At Apple’s “Let’s Rock” event on Tuesday, Steve Jobs announced iTunes 8. iTunes 8 should be available for download by late Tuesday afternoon…