Jeremiah Grossman, a security researcher, has found a way to exploit Safari’s (versions 4.x and 5.x) Autofill feature that would allow the bad guys to get your name, address, and contact information neither your approval nor knowledge. Fortunately, the exploit can be preemptively foiled by merely unchecking a preference.
Mr. Grossman, the founder and chief technology officer of White Hat Security, wrote in a blog post that he had found the exploit earlier this year and reported it to Apple on June 17th. Not having heard back from the company, aside from an auto-generated confirmation e-mail, Mr. Grossman published the exploit, a proof-of-concept demonstration to show it working, and instructions for Mac users for preventing the exploit until Apple releases a fix for it.
To do so, simply go to (Preferences > AutoFill > AutoFill web forms) an uncheck the “Using info from my Address Book card” field, if it is checked, as noted in the screenshot below.
The exploit requires a user to pull up a Web page that has been maliciously crafted, but it works whether or not you have been to that page before. The feature being exploited is a convenient one in Safari that allows the browser to fill in street information, e-mail addresses, your name, and your phone number, when the preference is checked.
The problem is that Mr. Grossman figured out how to tap this feature using JavaScript to automatically try one letter after another in each field in a form, and capture the resulting autofill information once the right first letter was hit. By doing so, he can get a user’s name, their title, their company, their town, or their e-mail.
He was not able to get phone numbers or street addresses as he said that fields that begin with numbers don’t work with the proof-of-concept he developed. If you live in the 1920s, however, and your phone number begins with a “Clark” or “Klondike,” you may be vulnerable there, too.
This feature in Safari is checked by default, and if you fill out a lot of forms, you have likely used it repeatedly, and often. If so, you’ll miss it, should you choose to turn it off.
Mr. Grossman also offered a video of the exploit in action for those not wanting to risk his proof-of-concept page. You can find it on his blog post.