Apple plugs autofill vulnerability with Safari 5.0.1

In addition to activating extensions, Apple's latest update to the Safari Web browser also plugs a potentially dangerous security hole that could allow hackers to obtain a user's personal information.

Earlier this month, a security researcher exposed the flaw in Safari, which could allow a hacker to obtain a user's personal information saved in the browser's autofill feature. The exploit could be used to access information such as a person's name, e-mail address, what company they work for, or the city and state they live in.

"An implementation issue exists that allows a maliciously crafted website to trigger AutoFill without user interaction," a note from Apple product security reads. "This can result in the disclosure of information contained within the user's Address Book Card."

The exploit was first demonstrated by Jeremiah Grossman of WhiteHat Security, who was credited by Apple for reporting the issue. Both versions 4 and 5 of Safari were vulnerable to the flaw.

Accordingly, in addition to the 5.0.1 update issued Wednesday, Apple also released Safari 4.1.1 for Mac OS X 10.4 Tiger, which also plugs the vulnerability.

The exploit could even affect those who have never sued the autofill functionality in their browser, as Safari, by default, grabs information from a user's Address Book card to help complete online forms. Users who have not updated their browser can avoid the issue by disabling the option to "AutoFill web forms," found in the browser's settings.

Grossman's proof of concept of the hack shows that it can be implemented on a simple website to obtain a user's information in a matter of seconds. The security researcher said the data could be used to send e-mail spam or conduct a phishing attack.

He noted that autofill data starting with a number, including phone numbers and street addresses, could not be obtained through the hack. But other information, including names and e-mail addresses, was at risk.

"Such attacks could be easily and cheaply distributed on a mass scale using an advertising network where likely no one would never notice because it's not exploit code designed to deliver rootkit payload," he said.

Both Safari 5.0.1 and Safari 4.1.1 also fix another security flaw that could allow a malicious RSS feed to send files from a user's system to a remote server. The exploit took advantage of a cross-site scripting issue in Safari's handling of RSS feeds.

Apple addressed the issue through improved handling of RSS feeds. The exploit was first reported by Billy Rios of the Google Security Team.