A vulnerability in Apple's Safari browser exposing users' personal information has been revealed by a security researcher
. Jeremiah Grossman of White Hat Security, Inc. discovered that an AutoFill feature - which is enabled by default in Safari version 4 and 5 - can be used to obtain a user's name, company, address, and email, as well as the content of other fields that begin with a letter. The weakness also exists in earlier versions of Microsoft's Internet Explorer. Grossman has a proof-of-concept web page
up that will let users check to see if they are vulnerable.
, "the entire process takes mere seconds," and enables attackers to capture information for further mayhem, "including email spam, (spear) phishing, [and] stalking." Getting creative, Grossman even notes the possibility for "blackmail if a user is de-anonymized while visiting objectionable online material," presumably with a bogus site containing adult content which would include the AutoFill exploit. The vulnerability only exists if the first character in the field is a letter; numbers won't work.
Grossman says he reported the vulnerability to Apple on June 17, in accordance with standing policy among good-guy hackers to let a company fix its flaws before making them public. However, he says, Apple hasn't responded in any way at all, other than an automated acknowledgement that his email was received. After a follow-up message, Grossman says he got no response whatsoever, "human or robotic.” He's releasing this information now to warn users about the vulnerability, so they can protect themselves by disabling the default feature.
Grossman is set to give a talk at the Black Hat Technical Security Conference
next week on vulnerabilities enabled by default in the four most common browsers. He's also found weaknesses in Firefox and Chrome that can reveal saved passwords, as well as a "mass cookie deleter" that can wipe out all of a user's cookies in a matter of seconds.