Safari AutoFill Exploit Raises Privacy Concerns

Earlier in the week, Jeremiah Grossman of WhiteHat Security reported a major security vulnerability in Safari. This vulnerability stems from the “AutoFill web forms” function, which is enabled by default in the browser’s preferences.

Ordinarily, this feature is intended to save users time by auto-completing forms using data from the Address Book. Grossman reports that a malicious website could theoretically pull data from a user’s address book card, capture it, and invisibly send it to an attacker. The privacy breach would happen without the user’s knowledge, and would not require him/her to input any text or follow any links. By merely visiting a malicious page, users could put their privacy at risk.

This AutoFill exploit can capture the user’s name, city, state, country, company, and email address. However, it cannot be used to capture numeric data such as phone numbers or street addresses. Regardless of the information at risk, any unsolicited attempt to obtain a user’s private information is something to be wary of.

Grossman has posted a safe proof of concept website here which indicates whether or not you are at risk. Thankfully, the temporary fix is an easy one. Simply visit: Safari > Preferences > AutoFill, and uncheck the box labeled “Using info from my Address Book card.” Grossman has submitted this vulnerability to Apple, and hopefully a fix will be provided in the next Security Update or the next revision of Safari.