Thursday, July 22, 2010, 03:55 pm
Security researcher demos autofill exploit in Apple SafariThe autofill feature found in Apple's Safari Web browser could be used by a hacker to illegally obtain a user's personal information, including their name and e-mail address, a security researcher has discovered.
Jeremiah Grossman revealed on his blog this week that users who have the "AutoFill web forms" feature enabled on Safari versions 4 and 5 is vulnerable to malicious code. The AutoFill feature is enabled by default in Apple's Web browser.
The feature automatically fills online text forms that have specific, common names, such as "name," "company," "city," "state," "e-mail," and more. The information is automatically grabbed from the user's personal record included in the operating systems' address book. That means the information could be obtained without the user even entering it into the Safari browser.
He also created a proof-of-concept to show how it takes "mere seconds" to obtain the personal information. Grossman said the data could be used to send e-mail spam or conduct a phishing attack.
"Fortunately any AutoFill data starting with a number, such as phone numbers or street addresses, could not be obtained because for some reason the data would not populate in the text field," he said. "Still, such attacks could be easily and cheaply distributed on a mass scale using an advertising network where likely no one would ever notice because it's not exploit code designed to deliver rootkit payload."
Safari 5, the latest version of Apple's Web browser, was released in June. It added extensions and expanded HTML5 support for the desktop software.
On Topic: Software
- Avid announces Pro Tools 11 and Media Composer 7 for Mac & PC
- Adobe releases Lightroom 4.4 and Camera Raw 7.4 after month of testing
- New release candidates for Adobe's Lightroom and Camera Raw bring bug fixes, added camera support
- Apple to lock iOS app screenshots upon submission to halt scammers
- Firefox 18 launches with support for Retina display Macs