or Connect
AppleInsider › Forums › Software › Mac Software › Apple plugs autofill vulnerability with Safari 5.0.1
New Posts  All Forums:Forum Nav:

Apple plugs autofill vulnerability with Safari 5.0.1

post #1 of 10
Thread Starter 
In addition to activating extensions, Apple's latest update to the Safari Web browser also plugs a potentially dangerous security hole that could allow hackers to obtain a user's personal information.

Earlier this month, a security researcher exposed the flaw in Safari, which could allow a hacker to obtain a user's personal information saved in the browser's autofill feature. The exploit could be used to access information such as a person's name, e-mail address, what company they work for, or the city and state they live in.

"An implementation issue exists that allows a maliciously crafted website to trigger AutoFill without user interaction," a note from Apple product security reads. "This can result in the disclosure of information contained within the user's Address Book Card."

The exploit was first demonstrated by Jeremiah Grossman of WhiteHat Security, who was credited by Apple for reporting the issue. Both versions 4 and 5 of Safari were vulnerable to the flaw.

Accordingly, in addition to the 5.0.1 update issued Wednesday, Apple also released Safari 4.1.1 for Mac OS X 10.4 Tiger, which also plugs the vulnerability.

The exploit could even affect those who have never sued the autofill functionality in their browser, as Safari, by default, grabs information from a user's Address Book card to help complete online forms. Users who have not updated their browser can avoid the issue by disabling the option to "AutoFill web forms," found in the browser's settings.

Grossman's proof of concept of the hack shows that it can be implemented on a simple website to obtain a user's information in a matter of seconds. The security researcher said the data could be used to send e-mail spam or conduct a phishing attack.

He noted that autofill data starting with a number, including phone numbers and street addresses, could not be obtained through the hack. But other information, including names and e-mail addresses, was at risk.

"Such attacks could be easily and cheaply distributed on a mass scale using an advertising network where likely no one would never notice because it's not exploit code designed to deliver rootkit payload," he said.

Both Safari 5.0.1 and Safari 4.1.1 also fix another security flaw that could allow a malicious RSS feed to send files from a user's system to a remote server. The exploit took advantage of a cross-site scripting issue in Safari's handling of RSS feeds.

Apple addressed the issue through improved handling of RSS feeds. The exploit was first reported by Billy Rios of the Google Security Team.
post #2 of 10
Just downloaded it, runs fine. Safari 4 life! lol
post #3 of 10
Safari 5 was pretty crashy for me, and so far this morning after updating to 5.0.1, I haven't had any of the crashes I was getting, so happy feet!
post #4 of 10
Quote:
Originally Posted by martimus3060 View Post

Safari 5 was pretty crashy for me, and so far this morning after updating to 5.0.1, I haven't had any of the crashes I was getting, so happy feet!

for me it was crashy as well, in fact i had a kernel panic once with safari 5, but happy so far with the newer version
post #5 of 10
Nice to hear that holes are getting plugged.

Never personally liked safari. Prefer chrome and FF.
--SHEFFmachine out
Da Bears!
Reply
--SHEFFmachine out
Da Bears!
Reply
post #6 of 10
Has always been very stable, also runs flash fine(ish) new version very welcome, coda notes already installed.
post #7 of 10
Quote:
Originally Posted by AppleInsider View Post

In addition to activating extensions, Apple's latest update to the Safari Web browser also plugs a potentially dangerous security hole that could allow hackers to obtain a user's personal information....

It's good that they fixed it, but IMO a better fix would be just to not turn it on by default. It just seems like a colossally bad idea to have a program accessing a person's personal info by default with no interaction from them.
post #8 of 10
Quote:
Originally Posted by AppleInsider View Post

The exploit could even affect those who have never sued the autofill functionality in their browser

Man! You know our litigious environment is getting bad when lawsuits are being filed against program features.
post #9 of 10
glad to hear its causing less crashes. ive had to switch to google chrome since upgrading to safari 5, its just kept crashing so much its become unusable. actually ive got to quite like chrome. if it could view PDFs in the browser like safari can i might be tempted to use it permenantly
post #10 of 10
Quote:
Originally Posted by Fahrwahr View Post

Man! You know our litigious environment is getting bad when lawsuits are being filed against program features.

beat me to it!
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac Software
AppleInsider › Forums › Software › Mac Software › Apple plugs autofill vulnerability with Safari 5.0.1