Safari Auto-Fill Vulnerability Could Reveal Your Info to Malicious Sites

Safari Auto-Fill Vulnerability Could Reveal Your Info to Malicious Sites

Posted by · 4917 views
An auto-fill bug in Safari could reveal your first name, last name, work place, city, state, and email address to a malicious website without you having entered any personal information on the site previously.

According to Jeremiah Grossman, Safari autofills HTML form text fields with specific attribute names such as name, company, city, state, country, email, etc.

These fields are AutoFill’ed using data from the users personal record in the local operating system address book. Again it is important to emphasize this feature works even though a user never entered this data on any website. Also this behavior should not be confused with normal auto-complete data a Web browser may remember after its typed into a form. All a malicious website would have to do to surreptitiously extract Address Book card data from Safari is dynamically create form text fields with the aforementioned names, probably invisibly, and then simulate A-Z keystroke events using JavaScript. When data is populated, that is AutoFill’ed, it can be accessed and sent to the attacker.

Grossman has posted some proof-of-concept code (graciously hosted by Robert "RSnake" Hansen). He's also tried to contact Apple but received no response. To protect yourself you can just disable autofill in Safari for the time being.

Have a look at the video below...

Read More [via MacRumors]

Add Comment
Would you like to be notified when someone replies or adds a new comment?
Yes (All Threads)
Yes (This Thread Only)
You must login or register to add a comment...