Safari AutoFill Exploit Raises Privacy Concerns

Earlier in the week, Jeremiah Grossman of WhiteHat Security reported a major security vulnerability in Safari. This vulnerability stems from the “AutoFill web forms” function, which is enabled by default in the browser’s preferences.

Ordinarily, this feature is intended to save users time by auto-completing forms using data from the Address Book. Grossman reports that a malicious website could theoretically pull data from a user’s address book card, capture it, and invisibly send it to an attacker. The privacy breach would happen without the user’s knowledge, and would not require him/her to input any text or follow any links. By merely visiting a malicious page, users could put their privacy at risk.

This AutoFill exploit can capture the user’s name, city, state, country, company, and email address. However, it cannot be used to capture numeric data such as phone numbers or street addresses. Regardless of the information at risk, any unsolicited attempt to obtain a user’s private information is something to be wary of.

Grossman has posted a safe proof of concept website here which indicates whether or not you are at risk. Thankfully, the temporary fix is an easy one. Simply visit: Safari > Preferences > AutoFill, and uncheck the box labeled “Using info from my Address Book card.” Grossman has submitted this vulnerability to Apple, and hopefully a fix will be provided in the next Security Update or the next revision of Safari.

Similar Posts

  • MagSafe Power Adapter Exchange Program

    Some owners of MacBooks and MacBook Pros have had a problem with fraying insulation on the magnetic end of their MagSafe power adapters….

  • Pre-order an iPhone 4 Today

    As announced at last week’s WWDC keynote, pre-orders for Apple’s latest iPhone have begun as of this morning. Eligible users can visit either…

  • Mac App Store – Coming Soon!

    The Mac is about to get its own app store, just like the App Store for iPod touch, iPhone and iPad! Aptly enough…

  • Weekly Apple News Recap | 4/9-4/13

    Apple Releases Java Update The update does double duty: it both removes the Flashback trojan (mentioned here) and disables the automatic execution of…

  • iPhone / iPod touch App Store Live!

    You can check out the long-gestating App store offering applications for the iPod touch and iPhone by clicking here (note that this will…

  • Some Facts About Snow Leopard

    Just the facts, ma’am. From Apple’s Snow Leopard specs page: As mentioned earlier, Snow Leopard is Intel only. Snow Leopard has an Apple…