Your favorite Apple, iPhone, iPad, iOS, Jailbreak, and Cydia site.
07-22-2010, 04:45 PM #1
Researcher Finds Safari AutoFill Security Hole
A vulnerability in Apple's Safari browser exposing users' personal information has been revealed by a security researcher. Jeremiah Grossman of White Hat Security, Inc. discovered that an AutoFill feature - which is enabled by default in Safari version 4 and 5 - can be used to obtain a user's name, company, address, and email, as well as the content of other fields that begin with a letter. The weakness also exists in earlier versions of Microsoft's Internet Explorer. Grossman has a proof-of-concept web page up that will let users check to see if they are vulnerable.
Grossman says he reported the vulnerability to Apple on June 17, in accordance with standing policy among good-guy hackers to let a company fix its flaws before making them public. However, he says, Apple hasn't responded in any way at all, other than an automated acknowledgement that his email was received. After a follow-up message, Grossman says he got no response whatsoever, "human or robotic.” He's releasing this information now to warn users about the vulnerability, so they can protect themselves by disabling the default feature.
Grossman is set to give a talk at the Black Hat Technical Security Conference next week on vulnerabilities enabled by default in the four most common browsers. He's also found weaknesses in Firefox and Chrome that can reveal saved passwords, as well as a "mass cookie deleter" that can wipe out all of a user's cookies in a matter of seconds.
Last edited by Paul Daniel Ash; 07-22-2010 at 04:50 PM.
07-22-2010, 04:52 PM #2
07-22-2010, 04:56 PM #3
Woops it actually works.... better go an delete everything then
07-22-2010, 05:04 PM #4
07-22-2010, 05:23 PM #5
Was the hole between safari's legs? And what now apple gave her herpies? Damn it
The Following User Says Thank You to Imsorussian For This Useful Post:
07-22-2010, 05:27 PM #6
I've always had my autofill turned off. I'm not that lazy
07-22-2010, 05:29 PM #7
haha good thing your password is encrypted.
but, i can see this being used to build mass email lists for spammers.
07-22-2010, 05:44 PM #8
Apple = Microsoft.
07-22-2010, 05:44 PM #9
Just as we thought things couldn't get any worse with Cupertino."The quieter you become, the more you are able to hear"
'Follow Me on Twitter@Markanthony3211' I always Follow Back.
07-22-2010, 05:51 PM #10
Congratulations, Apple! You made me stay on FireFox forever!Asking for help is different from being stupid. Fanboys can rot in @#$%!
07-22-2010, 05:55 PM #11
Apple is learning the
Tough facts of being popular like Microsoft. Popular=people start hacking ur products!
07-22-2010, 05:55 PM #12
07-22-2010, 06:05 PM #13
Good job apple!
07-22-2010, 06:10 PM #14
For some reason, I am not vulnerable somehow... Why is this?
07-22-2010, 06:15 PM #15
"Grossman is set to give a talk at the
Black Hat Technical Security Conference
next week on vulnerabilities enabled by default in the four most common browsers. He's also found weaknesses in Firefox and Chrome that can reveal saved passwords, as well as a "mass cookie deleter" that can wipe out all of a user's cookies in a matter of seconds." read the whole article.
Also I just turned autofill on and set it to my contact on iPhone and ran the test seems that it doesn't work in mobile Safari.
I just tried on iPhone 3GS iOS 4.0 jailbroken and seems not to work.
Last edited by hackint0uch; 07-22-2010 at 06:15 PM. Reason: Automerged Doublepost
07-22-2010, 06:17 PM #16
Wonder if the heads of this security group will be arrested for drug charges?
07-22-2010, 06:18 PM #17
07-22-2010, 06:29 PM #18
Does this also work for iPhone safari autofill
07-22-2010, 06:34 PM #19
Come on apple! you falling off
07-22-2010, 06:58 PM #20
Chrome seems unaffected, this sucks though because I use safari,
Appl£ get it fixed NOW!!!!!
Edit: just tried the proof-of-concept web page with Safari on my iPhone no issues I recommend you test it your self though
Last edited by dsg; 07-22-2010 at 07:05 PM.