In a recent blog post, security researcher Jeremiah Grossman, the founder and chief technology officer of WhiteHat Security, revealed that he had hit upon a way to exploit the ‘Autofill’ feature which is enabled by default in the Safari versions 4. x and 5. x.
According to Grossman, the Autofill feature – which automatically fills Web forms with details like a user’s name, phone number, e-mail address, and physical address, which are stored in the user’s personal Address Book card – can enable hackers to get hold of a user’s personal information, without either the approval or the knowledge of the user.
Saying that he had discovered the exploit earlier this year, Grossman added that he had reported it to Apple on June 17. However, since he received no correspondence from Apple, except for an auto-generated confirmation e-mail, he published the exploit on his research colleague Robert Hansen’s harmless proof-of-concept site, to show how it works.
About the working of the exploit, Grossman has revealed that though the exploit requires a user to pull up a maliciously-crafted Web page, it can still work even if a user has never been to that page before.
Grossman has also published instructions for Mac users for to prevent the exploit - suggesting that the users should un-check the “Using info from my Address Book card” option, if it is already checked by default, in the Safari’s ‘Preferences AutoFill AutoFill web forms’ section.
Related News
- Google launches the beta of its Chrome 6 Web browser; adds ‘autofill’
- Microsoft testing a patch to address critical flaw affecting IE6 and IE7
- Security researchers compromise popular platforms at Pwn2Own contest
- Apple Safari 5 – touted as the fastest Web browser
- Safari and IE8 toppled at Pwn2Own
- Attackers use IE to exploit Windows MHTML vulnerability
- Symantec’s Greenbaum: Microsoft “may consider” out-of-band patch to fix new IE flaw
