Safari Auto-Fill Vulnerability Could Reveal Your Info to Malicious Sites

An auto-fill bug in Safari could reveal your first name, last name, work place, city, state, and email address to a malicious website without you having entered any personal information on the site previously.

According to Jeremiah Grossman, Safari autofills HTML form text fields with specific attribute names such as name, company, city, state, country, email, etc.

These fields are AutoFilled using data from the users personal record in the local operating system address book. Again it is important to emphasize this feature works even though a user never entered this data on any website. Also this behavior should not be confused with normal auto-complete data a Web browser may remember after its typed into a form. All a malicious website would have to do to surreptitiously extract Address Book card data from Safari is dynamically create form text fields with the aforementioned names, probably invisibly, and then simulate A-Z keystroke events using JavaScript. When data is populated, that is AutoFilled, it can be accessed and sent to the attacker.


Grossman has posted some proof-of-concept code (graciously hosted by Robert "RSnake" Hansen). He's also tried to contact Apple but received no response. To protect yourself you can just disable autofill in Safari for the time being.

Have a look at the video below...

Read More [via MacRumors]