Apple Safari is a hacker’s info harvesting dream

This apparently applies to Safari on Macs and no word yet if it applies to the Windows version of Apple’s browser but the folks over at 9 to 5 Mac have posted an alarming notice to all Safari users to immediately disable the browsers autofill feature.

It seems that one of the autofill features allows you to have web forms automatically filled, even if you have never been to the site before, by pulling in your information from your Address Book card. The danger, as outlined by Jeremiah Grossman using a very simple exploit, is that malicious sites could create hidden dynamic form text fields which would then be populated with your information using Javascript A-Z keystrokes.

As shown in the proof-of-concept code (graciously hosted by Robert “RSnake” Hansen), the entire process takes mere seconds and represents a major breach in online privacy. This attack could be further leveraged in multistage attacks including email spam, (spear) phishing, stalking, and even blackmail if a user is de-anonymized while visiting objectionable online material.

Sometimes the best hacks are the simplest ones but it also goes to show that security problems are just the providence of any one tech company.

image courtesy of 9 to 5 Mac

Comments