• Your favorite

    Apple

    ,

    iPhone

    ,

    iPad

    ,

    iOS

    ,
    Jailbreak
    , and
    Cydia
    site.
  • Researcher Finds Safari AutoFill Security Hole


    A vulnerability in Apple's Safari browser exposing users' personal information has been revealed by a security researcher. Jeremiah Grossman of White Hat Security, Inc. discovered that an AutoFill feature - which is enabled by default in Safari version 4 and 5 - can be used to obtain a user's name, company, address, and email, as well as the content of other fields that begin with a letter. The weakness also exists in earlier versions of Microsoft's Internet Explorer. Grossman has a proof-of-concept web page up that will let users check to see if they are vulnerable.

    Basically, the exploit involves using JavaScript to simulate keypresses from A to Z on hidden fields with titles like “Name,” “Company,” “Address,” and “Email.” When the "AutoFill using info from my Address Book card" default option is left enabled, Safari auto-completes the field and the info is sent to the attacker. As Grossman states in his blog post describing the vulnerability, "the entire process takes mere seconds," and enables attackers to capture information for further mayhem, "including email spam, (spear) phishing, [and] stalking." Getting creative, Grossman even notes the possibility for "blackmail if a user is de-anonymized while visiting objectionable online material," presumably with a bogus site containing adult content which would include the AutoFill exploit. The vulnerability only exists if the first character in the field is a letter; numbers won't work.

    Grossman says he reported the vulnerability to Apple on June 17, in accordance with standing policy among good-guy hackers to let a company fix its flaws before making them public. However, he says, Apple hasn't responded in any way at all, other than an automated acknowledgement that his email was received. After a follow-up message, Grossman says he got no response whatsoever, "human or robotic.” He's releasing this information now to warn users about the vulnerability, so they can protect themselves by disabling the default feature.

    Grossman is set to give a talk at the Black Hat Technical Security Conference next week on vulnerabilities enabled by default in the four most common browsers. He's also found weaknesses in Firefox and Chrome that can reveal saved passwords, as well as a "mass cookie deleter" that can wipe out all of a user's cookies in a matter of seconds.

    Source: AppleInsider
    This article was originally published in forum thread: Researcher Finds Safari AutoFill Security Hole started by Paul Daniel Ash View original post
    Comments 39 Comments
    1. drjailbreakMD's Avatar
      drjailbreakMD -
      typical apple....thanks!!!
    1. Harris.s.7's Avatar
      Harris.s.7 -
      Woops it actually works.... better go an delete everything then
    1. iLoveWindows&iPhone's Avatar
      iLoveWindows&iPhone -
      Boring
    1. Imsorussian's Avatar
      Imsorussian -
      Was the hole between safari's legs? And what now apple gave her herpies? Damn it
    1. rhekt's Avatar
      rhekt -
      I've always had my autofill turned off. I'm not that lazy
    1. justinede's Avatar
      justinede -
      haha good thing your password is encrypted.

      but, i can see this being used to build mass email lists for spammers.
    1. billmilo's Avatar
      billmilo -
      Apple = Microsoft.
    1. Markanthony3211's Avatar
      Markanthony3211 -
      Just as we thought things couldn't get any worse with Cupertino.
    1. awesomeSlayer's Avatar
      awesomeSlayer -
      Congratulations, Apple! You made me stay on FireFox forever!
    1. x2dope's Avatar
      x2dope -
      Apple is learning the
      Tough facts of being popular like Microsoft. Popular=people start hacking ur products!
    1. Tamkis's Avatar
      Tamkis -
      Quote Originally Posted by drjailbreakMD View Post
      typical apple....thanks!!!
      If Apple has helped you, please press the "Thanks!" button.
      Just kidding/being sarcastic, lol

      This is probably a dumb question, but does this security issue also affect the current version of Safari on ipt?
    1. Venom1234's Avatar
      Venom1234 -
      Good job apple!
    1. Chase817's Avatar
      Chase817 -
      For some reason, I am not vulnerable somehow... Why is this?
    1. hackint0uch's Avatar
      hackint0uch -
      Quote Originally Posted by awesomeiPod View Post
      Congratulations, Apple! You made me stay on FireFox forever!
      Firefox is bad too even worse because they can delete cookies:
      "Grossman is set to give a talk at the
      Black Hat Technical Security Conference
      next week on vulnerabilities enabled by default in the four most common browsers. He's also found weaknesses in Firefox and Chrome that can reveal saved passwords, as well as a "mass cookie deleter" that can wipe out all of a user's cookies in a matter of seconds." read the whole article.

      Also I just turned autofill on and set it to my contact on iPhone and ran the test seems that it doesn't work in mobile Safari.

      I just tried on iPhone 3GS iOS 4.0 jailbroken and seems not to work.
    1. NessLookAlike's Avatar
      NessLookAlike -
      Wonder if the heads of this security group will be arrested for drug charges?
    1. sh33436's Avatar
      sh33436 -
      haha WOW.
    1. JayWins101's Avatar
      JayWins101 -
      Does this also work for iPhone safari autofill
    1. QuinnNebula's Avatar
      QuinnNebula -
      Come on apple! you falling off
    1. dsg's Avatar
      dsg -
      Chrome seems unaffected, this sucks though because I use safari,

      Appl£ get it fixed NOW!!!!!

      Edit: just tried the proof-of-concept web page with Safari on my iPhone no issues I recommend you test it your self though
    1. Halten77's Avatar
      Halten77 -
      Typical... No wonder my when I checked my Yahoo! Email in safari, a month later it was filled with Spam... I haven't even signed up for any websites or filled in my email anywhere... Wow Apple. You made me stick to Opera Browser.