Security Team Finds Safari Autofill Exploit

News

Bryan Chaffin

6:20 PM, Jul. 22nd ET, 2010

Articles by Author Bryan Chaffin on Twitter Contact Author Bio

Comments (6)

Jeremiah Grossman, a security researcher, has found a way to exploit Safari’s (versions 4.x and 5.x) Autofill feature that would allow the bad guys to get your name, address, and contact information neither your approval nor knowledge. Fortunately, the exploit can be preemptively foiled by merely unchecking a preference.

Mr. Grossman, the founder and chief technology officer of White Hat Security, wrote in a blog post that he had found the exploit earlier this year and reported it to Apple on June 17th. Not having heard back from the company, aside from an auto-generated confirmation e-mail, Mr. Grossman published the exploit, a proof-of-concept demonstration to show it working, and instructions for Mac users for preventing the exploit until Apple releases a fix for it.

To do so, simply go to (Preferences > AutoFill > AutoFill web forms) an uncheck the “Using info from my Address Book card” field, if it is checked, as noted in the screenshot below.

Autofill Pref

The exploit requires a user to pull up a Web page that has been maliciously crafted, but it works whether or not you have been to that page before. The feature being exploited is a convenient one in Safari that allows the browser to fill in street information, e-mail addresses, your name, and your phone number, when the preference is checked.

The problem is that Mr. Grossman figured out how to tap this feature using JavaScript to automatically try one letter after another in each field in a form, and capture the resulting autofill information once the right first letter was hit. By doing so, he can get a user’s name, their title, their company, their town, or their e-mail.

He was not able to get phone numbers or street addresses as he said that fields that begin with numbers don’t work with the proof-of-concept he developed. If you live in the 1920s, however, and your phone number begins with a “Clark” or “Klondike,” you may be vulnerable there, too.

This feature in Safari is checked by default, and if you fill out a lot of forms, you have likely used it repeatedly, and often. If so, you’ll miss it, should you choose to turn it off.

Mr. Grossman also offered a video of the exploit in action for those not wanting to risk his proof-of-concept page. You can find it on his blog post.

Post A Comment or Log-in. Need an account? Register here.

6 Observer Comments

mactoid

said on July 22nd, 2010 at 5:49 PM (Edited: 10/25/2011 8:44 PM):

I’ve never found Safari’s autofill feature to work very well anyway. Turning it off isn’t a big loss.

vpndev

said on July 22nd, 2010 at 6:46 PM:

Never ever liked autofill. It always seemed like a Microsoft “feature” that teased and then disappointed - coming close but never getting it right.

I lump “autocomplete” in the same category - interesting idea but not a timesaver at all.

I guess I’m just weird. All these other people seem to find it indispensable.

geoduck

said on July 22nd, 2010 at 8:45 PM (Edited: 01/26/2012 2:46 PM):

Ya know, it really bugs me when options like this are on by default.

Proofreader Doug said on July 23rd, 2010 at 1:03 AM:

Proofreading alert:

> The feature being exploited is a convenient on in Safari

Bryan Chaffin said on July 23rd, 2010 at 2:03 AM:

Thanks, Doug.

I corrected the missing letter, and I appreciate the note.

cbsofla

said on July 23rd, 2010 at 12:42 PM:

“The exploit requires a user to pull up a Web page that has been maliciously crafted, but it works whether or not you have been to that page before.”

This will probably turn out as another of my “duh” moments, but “requires a user to pull up a web page” and “whether or not you have been to that page” seem to contradict. What have I misunderstood? How does “pull up” a page differ from “go to”?

Thanks.

Post A Comment or Log-in. Need an account? Register here.

Recent Headlines - Updated February 12th

Sat, 4:11 PM: MacOS KenDensed - MacOS KenDensed: iPad 3 Frenzy, Big-time Apple & Steve Jobs, G-Man
Fri, 8:10 PM: News - Apple Sues Motorola Mobility in California Over German Case
7:54 PM: Free on iTunes - OnLive Desktop: Windows & Office on Your iPad
7:43 PM: Product News - Apple Rolls Out MacBook Air Configurations for Education
6:35 PM: Just a Peek - Battle Pocket Bulge With The Hint for iPhone
6:01 PM: Rumor - Apple Reportedly Bringing MacBook Air Styling to Pro Line
4:50 PM: Particle Debris - The Hidden Gotchas of Browser Security
3:56 PM: Apple Stock Watch - Analyst: Paying a Dividend Makes Sense for Apple
2:58 PM: Deal Brothers - iMac 27-inch 2.93GHz Intel Quad-Core i7 processor: $1,999
2:45 PM: In-Depth Review - Theodolite App for iOS is Breathtaking
12:52 PM: Apple Stock Watch - Mizuho Securities Starts Apple Coverage with $635 Target
11:35 AM: Hot Forum Topic - Forum Poll: Are You Planning on Buying a New iPad?

The Mac Observer Reader Specials

TypeStyler 11 is now in the Mac App Store!! -- Special Introductory Price of $59.95!! -- To Buy From The Mac App Store Click Here Now!! Or buy direct from Strider Software.
Mac RAM Upgrades: MacBook Pro 16GB kits $475, 8GB Kits for $119.99! iMac 16GB RAM Kits (4x 4GB) for $229.99! Mac Pro Memory 32GB Kit for $399.99, 64GB Kit for $889.99! Mac Hard Drives 2TB Seagate SATA II for $249.99! Click Here!
If you're using a Mac, then you've gotta check out Online Poker Mac. This mac poker and online casino mac site actually does the unthinkable, it actually rewards!

Apple Stock Quote (AAPL)

Last trade: $---.-- $---.--
Market cap: $---.--
Discuss in our Apple Finance Board

Quotes are delayed. Currency in USD

Hot Topics

What's the buzz? These articles have TMO readers talking.

Air Force Might Replace Manuals with 18,000 iPads - 13 Comments
Theodolite App for iOS is Breathtaking - 11 Comments
Analyst: Paying a Dividend Makes Sense for Apple - 11 Comments
Simpler Apple Apps Shouldn’t be Simple-minded - 11 Comments
Canaccord: Apple Claims 80% of Q4 Mobile Handset Profits - 10 Comments
FBI Releases Steve Jobs Dossier: Driven & Deceptive - 9 Comments

TMO Express

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday. Find out more!

Top Deals From DealBrothers.com

Recent Features

Get the latest installments of TMO Columns, Podcasts, & Blogs.

© The Mac Observer, Inc. -- All rights reserved. All information presented on this site is copyrighted by The Mac Observer, Inc. except where otherwise noted. No portion of this site may be copied without express written consent. Other sites are invited to link to any aspect of this site provided that all content is presented in its original form and is not placed within another frame. The Mac Observer is an independent publication and has not been authorized, sponsored, or otherwise approved by Apple, Inc.