Security Team Finds Safari Autofill Exploit

| News

Jeremiah Grossman, a security researcher, has found a way to exploit Safari’s (versions 4.x and 5.x) Autofill feature that would allow the bad guys to get your name, address, and contact information neither your approval nor knowledge. Fortunately, the exploit can be preemptively foiled by merely unchecking a preference.

Mr. Grossman, the founder and chief technology officer of White Hat Security, wrote in a blog post that he had found the exploit earlier this year and reported it to Apple on June 17th. Not having heard back from the company, aside from an auto-generated confirmation e-mail, Mr. Grossman published the exploit, a proof-of-concept demonstration to show it working, and instructions for Mac users for preventing the exploit until Apple releases a fix for it.

To do so, simply go to (Preferences > AutoFill > AutoFill web forms) an uncheck the “Using info from my Address Book card” field, if it is checked, as noted in the screenshot below.

Autofill Pref

The exploit requires a user to pull up a Web page that has been maliciously crafted, but it works whether or not you have been to that page before. The feature being exploited is a convenient one in Safari that allows the browser to fill in street information, e-mail addresses, your name, and your phone number, when the preference is checked.

The problem is that Mr. Grossman figured out how to tap this feature using JavaScript to automatically try one letter after another in each field in a form, and capture the resulting autofill information once the right first letter was hit. By doing so, he can get a user’s name, their title, their company, their town, or their e-mail.

He was not able to get phone numbers or street addresses as he said that fields that begin with numbers don’t work with the proof-of-concept he developed. If you live in the 1920s, however, and your phone number begins with a “Clark” or “Klondike,” you may be vulnerable there, too.

This feature in Safari is checked by default, and if you fill out a lot of forms, you have likely used it repeatedly, and often. If so, you’ll miss it, should you choose to turn it off.

Mr. Grossman also offered a video of the exploit in action for those not wanting to risk his proof-of-concept page. You can find it on his blog post.

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

Comments

mactoid

I’ve never found Safari’s autofill feature to work very well anyway.  Turning it off isn’t a big loss.

vpndev

Never ever liked autofill. It always seemed like a Microsoft “feature” that teased and then disappointed - coming close but never getting it right.

I lump “autocomplete” in the same category - interesting idea but not a timesaver at all.

I guess I’m just weird. All these other people seem to find it indispensable.

geoduck

Ya know, it really bugs me when options like this are on by default.

Proofreader Doug

Proofreading alert:

> The feature being exploited is a convenient on in Safari

Bryan Chaffin

Thanks, Doug. smile

I corrected the missing letter, and I appreciate the note.

cb50dc

“The exploit requires a user to pull up a Web page that has been maliciously crafted, but it works whether or not you have been to that page before.”

This will probably turn out as another of my “duh” moments, but “requires a user to pull up a web page” and “whether or not you have been to that page” seem to contradict. What have I misunderstood? How does “pull up” a page differ from “go to”?

Thanks.

Log-in to comment