+ Reply
Page 1 of 2 12 LastLast
Results 1 to 20 of 40

Your favorite Apple, iPhone, iPad, iOS, Jailbreak, and Cydia site.


Thread: Researcher Finds Safari AutoFill Security Hole

is a discussion within the

Mac News

forums, a part of the

General Apple/Mac

section;
A vulnerability in Apple's Safari browser exposing users' personal information has been revealed by a security researcher . Jeremiah Grossman of White Hat Security, Inc. discovered that an AutoFill feature
...
  1. #1
    MMi Staff Writer Paul Daniel Ash's Avatar
    Join Date
    Aug 2009
    Location
    Union Square, Somerville, Mass.
    Posts
    919
    Thanks
    6
    Thanked 995 Times in 401 Posts

    Default Researcher Finds Safari AutoFill Security Hole


    A vulnerability in Apple's Safari browser exposing users' personal information has been revealed by a security researcher. Jeremiah Grossman of White Hat Security, Inc. discovered that an AutoFill feature - which is enabled by default in Safari version 4 and 5 - can be used to obtain a user's name, company, address, and email, as well as the content of other fields that begin with a letter. The weakness also exists in earlier versions of Microsoft's Internet Explorer. Grossman has a proof-of-concept web page up that will let users check to see if they are vulnerable.

    Basically, the exploit involves using JavaScript to simulate keypresses from A to Z on hidden fields with titles like “Name,” “Company,” “Address,” and “Email.” When the "AutoFill using info from my Address Book card" default option is left enabled, Safari auto-completes the field and the info is sent to the attacker. As Grossman states in his blog post describing the vulnerability, "the entire process takes mere seconds," and enables attackers to capture information for further mayhem, "including email spam, (spear) phishing, [and] stalking." Getting creative, Grossman even notes the possibility for "blackmail if a user is de-anonymized while visiting objectionable online material," presumably with a bogus site containing adult content which would include the AutoFill exploit. The vulnerability only exists if the first character in the field is a letter; numbers won't work.

    Grossman says he reported the vulnerability to Apple on June 17, in accordance with standing policy among good-guy hackers to let a company fix its flaws before making them public. However, he says, Apple hasn't responded in any way at all, other than an automated acknowledgement that his email was received. After a follow-up message, Grossman says he got no response whatsoever, "human or robotic.” He's releasing this information now to warn users about the vulnerability, so they can protect themselves by disabling the default feature.

    Grossman is set to give a talk at the Black Hat Technical Security Conference next week on vulnerabilities enabled by default in the four most common browsers. He's also found weaknesses in Firefox and Chrome that can reveal saved passwords, as well as a "mass cookie deleter" that can wipe out all of a user's cookies in a matter of seconds.

    Source: AppleInsider
    Last edited by Paul Daniel Ash; 07-22-2010 at 03:50 PM.

  2. The Following 5 Users Say Thank You to Paul Daniel Ash For This Useful Post:

    cir_osis (07-22-2010), Freerunnering (07-23-2010), lightmaster (07-24-2010), reaves205 (07-22-2010), wreclusrob (07-22-2010)

  3. #2
    What's Jailbreak? drjailbreakMD's Avatar
    Join Date
    Jan 2010
    Location
    Michigan
    Posts
    24
    Thanks
    12
    Thanked 4 Times in 3 Posts

    typical apple....thanks!!!

  4. #3
    What's Jailbreak? Harris.s.7's Avatar
    Join Date
    Jun 2010
    Posts
    11
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Woops it actually works.... better go an delete everything then

  5. #4
    My iPhone is a Part of Me iLoveWindows&iPhone's Avatar
    Join Date
    May 2010
    Location
    San Diego, CA
    Posts
    591
    Thanks
    9
    Thanked 49 Times in 34 Posts

    Boring

  6. #5
    Green Apple Imsorussian's Avatar
    Join Date
    Jan 2009
    Location
    Brooklyn, NY
    Posts
    91
    Thanks
    10
    Thanked 6 Times in 6 Posts

    Was the hole between safari's legs? And what now apple gave her herpies? Damn it

  7. The Following User Says Thank You to Imsorussian For This Useful Post:

    greekking23 (07-23-2010)

  8. #6
    Livin the iPhone Life rhekt's Avatar
    Join Date
    Jun 2009
    Posts
    1,294
    Thanks
    43
    Thanked 65 Times in 53 Posts

    I've always had my autofill turned off. I'm not that lazy

  9. #7
    What's Jailbreak? justinede's Avatar
    Join Date
    Dec 2007
    Location
    California
    Posts
    18
    Thanks
    1
    Thanked 3 Times in 2 Posts

    haha good thing your password is encrypted.

    but, i can see this being used to build mass email lists for spammers.

  10. #8
    iPhone? More like MyPhone
    Join Date
    Jun 2009
    Posts
    167
    Thanks
    29
    Thanked 26 Times in 18 Posts

    Apple = Microsoft.

  11. #9
    Green Apple Markanthony3211's Avatar
    Join Date
    May 2010
    Posts
    64
    Thanks
    4
    Thanked 2 Times in 2 Posts

    Just as we thought things couldn't get any worse with Cupertino.
    "The quieter you become, the more you are able to hear"

    'Follow Me on Twitter@Markanthony3211' I always Follow Back.

  12. #10
    MMi's "X" Member awesomeSlayer's Avatar
    Join Date
    May 2008
    Location
    Dragonspiral Tower in 3DS
    Posts
    4,524
    Thanks
    114
    Thanked 347 Times in 259 Posts

    Congratulations, Apple! You made me stay on FireFox forever!
    Asking for help is different from being stupid. Fanboys can rot in @#$%!

  13. #11
    iPhoneaholic x2dope's Avatar
    Join Date
    Apr 2009
    Location
    Louisiana
    Posts
    448
    Thanks
    134
    Thanked 347 Times in 148 Posts

    Apple is learning the
    Tough facts of being popular like Microsoft. Popular=people start hacking ur products!

  14. #12
    Green Apple Tamkis's Avatar
    Join Date
    May 2010
    Location
    Pennsylvania
    Posts
    95
    Thanks
    43
    Thanked 6 Times in 5 Posts

    Quote Originally Posted by drjailbreakMD View Post
    typical apple....thanks!!!
    If Apple has helped you, please press the "Thanks!" button.
    Just kidding/being sarcastic, lol

    This is probably a dumb question, but does this security issue also affect the current version of Safari on ipt?
    Last edited by Tamkis; 07-22-2010 at 04:58 PM.

  15. #13
    iPhone? More like MyPhone Venom1234's Avatar
    Join Date
    Oct 2007
    Posts
    141
    Thanks
    0
    Thanked 11 Times in 10 Posts

    Good job apple!

  16. #14
    Livin the iPhone Life Chase817's Avatar
    Join Date
    Mar 2008
    Location
    Orange County, CA
    Posts
    1,463
    Thanks
    127
    Thanked 91 Times in 65 Posts

    For some reason, I am not vulnerable somehow... Why is this?
    http://modmyi.com/forums/image.php?type=sigpic&userid=303541&dateline=12514  03473

  17. #15
    Green Apple
    Join Date
    Aug 2009
    Posts
    66
    Thanks
    4
    Thanked 1 Time in 1 Post
    Quote Originally Posted by awesomeiPod View Post
    Congratulations, Apple! You made me stay on FireFox forever!
    Firefox is bad too even worse because they can delete cookies:
    "Grossman is set to give a talk at the
    Black Hat Technical Security Conference
    next week on vulnerabilities enabled by default in the four most common browsers. He's also found weaknesses in Firefox and Chrome that can reveal saved passwords, as well as a "mass cookie deleter" that can wipe out all of a user's cookies in a matter of seconds." read the whole article.

    Also I just turned autofill on and set it to my contact on iPhone and ran the test seems that it doesn't work in mobile Safari.

    I just tried on iPhone 3GS iOS 4.0 jailbroken and seems not to work.
    Last edited by hackint0uch; 07-22-2010 at 05:15 PM. Reason: Automerged Doublepost

  18. #16
    iPhone? More like MyPhone
    Join Date
    Jul 2008
    Posts
    215
    Thanks
    9
    Thanked 31 Times in 22 Posts

    Wonder if the heads of this security group will be arrested for drug charges?

  19. #17
    Green Apple
    Join Date
    Jun 2010
    Posts
    76
    Thanks
    51
    Thanked 1 Time in 1 Post
    haha WOW.

  20. #18
    What's Jailbreak?
    Join Date
    Feb 2010
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Does this also work for iPhone safari autofill

  21. #19
    Green Apple
    Join Date
    Jul 2010
    Posts
    42
    Thanks
    12
    Thanked 2 Times in 2 Posts

    Come on apple! you falling off

  22. #20
    dsg
    dsg is online now
    Livin the iPhone Life dsg's Avatar
    Join Date
    Jul 2008
    Posts
    1,810
    Thanks
    3,411
    Thanked 1,932 Times in 755 Posts

    Chrome seems unaffected, this sucks though because I use safari,

    Appl£ get it fixed NOW!!!!!

    Edit: just tried the proof-of-concept web page with Safari on my iPhone no issues I recommend you test it your self though
    Last edited by dsg; 07-22-2010 at 06:05 PM.

Posting Permissions
  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts