Could it be because I have a different language set-up as default?
That may be the reason. Also, if I remember correctly, Safari does not auto-complete fields in secured web pages (https), although I cannot tell if this is due to a Safari feature or to something coded in the page.
That may be the reason. Also, if I remember correctly, Safari does not auto-complete fields in secured web pages (https), although I cannot tell if this is due to a Safari feature or to something coded in the page.
It's not a secure page. I tried the "proof of concept" page and it didn't returned anything. The closest I got to see some personal info was with Chrome, which showed autocomplete drop-down suggestions, but didn't actually filled out the field.
Camino, OTOH, somehow prevented the script to cycle through the fields.
I'm quite surprised that the language has an impact, since I thought at system-level the Address Book fields are identified by #IDs or English strings (hint: I'm not a Mac software developer)
That may be the reason. Also, if I remember correctly, Safari does not auto-complete fields in secured web pages (https), although I cannot tell if this is due to a Safari feature or to something coded in the page.
a malicious site wouldnt be using a secure page. this is something you'd accidentally stumble upon, not something that would accidentally happen on a page you purposely visited. imagine that it's in a myspace or facebook page / app. it could compromise millions of people
Safari is not the only browser with autofill - where is the comparative analysis showing that every browser on every platform suffers from the same thing?
And where is the alert that a web page has asked my system to provide personal information even though that info is not needed and does not appear on the screen anywhere?
I am sure that is the source of lots of junk mail - I don't use my son's email except to register him for online games - but I get junk mail to his account that must be coming from sites I visit on my system which does not have a user logon for him - but on which I have an email client setup so I can keep an eye on his email.
In my opinion - ANY information AT ALL - that is requested by a web site - should pop up in a message box - indicating who is asking and why - and some option to exclude specific info if you want or to include all or exclude all and to remember this action for a given domain.
At the very least it would be interesting to learn how many 3rd parties are grabbing info without your knowledge or permission.
Yes I know I could use something like little snitch or private browsing (on some browsers) - but it just strikes me as wrong that every company who puts out a browser by default allows anyone who asks to be handed you private information without your knowledge or consent. that is a privacy issue that our government officials should have been asking about a decade ago.
Safari is not the only browser with autofill - where is the comparative analysis showing that every browser on every platform suffers from the same thing?
.
Apparently the difference between how Safari auto fills and how Firefox does it is that on certain fields Safari actually fills in the form fields where Firefox only offers suggestions in a pull down select list. The exploit can only grab the info after it goes into the field. Keep in mind that the form doesn't visually appear on the page. The fields only exist in memory.
Yep, same here. I also have the keychain turned off and deleted most of my data in it. I strongly suggest people look into either 1Password or LastPass.
Comments
Could it be because I have a different language set-up as default?
That may be the reason. Also, if I remember correctly, Safari does not auto-complete fields in secured web pages (https), although I cannot tell if this is due to a Safari feature or to something coded in the page.
That may be the reason. Also, if I remember correctly, Safari does not auto-complete fields in secured web pages (https), although I cannot tell if this is due to a Safari feature or to something coded in the page.
It's not a secure page. I tried the "proof of concept" page and it didn't returned anything. The closest I got to see some personal info was with Chrome, which showed autocomplete drop-down suggestions, but didn't actually filled out the field.
Camino, OTOH, somehow prevented the script to cycle through the fields.
I'm quite surprised that the language has an impact, since I thought at system-level the Address Book fields are identified by #IDs or English strings (hint: I'm not a Mac software developer)
Nasty.
I think we'll see a quick security patch here. I guess a LOT of people are using Auto Fill..
its on by default. if you need proof of how many people keep things on by default, check the ie market share
That may be the reason. Also, if I remember correctly, Safari does not auto-complete fields in secured web pages (https), although I cannot tell if this is due to a Safari feature or to something coded in the page.
a malicious site wouldnt be using a secure page. this is something you'd accidentally stumble upon, not something that would accidentally happen on a page you purposely visited. imagine that it's in a myspace or facebook page / app. it could compromise millions of people
And where is the alert that a web page has asked my system to provide personal information even though that info is not needed and does not appear on the screen anywhere?
I am sure that is the source of lots of junk mail - I don't use my son's email except to register him for online games - but I get junk mail to his account that must be coming from sites I visit on my system which does not have a user logon for him - but on which I have an email client setup so I can keep an eye on his email.
In my opinion - ANY information AT ALL - that is requested by a web site - should pop up in a message box - indicating who is asking and why - and some option to exclude specific info if you want or to include all or exclude all and to remember this action for a given domain.
At the very least it would be interesting to learn how many 3rd parties are grabbing info without your knowledge or permission.
Yes I know I could use something like little snitch or private browsing (on some browsers) - but it just strikes me as wrong that every company who puts out a browser by default allows anyone who asks to be handed you private information without your knowledge or consent. that is a privacy issue that our government officials should have been asking about a decade ago.
Safari is not the only browser with autofill - where is the comparative analysis showing that every browser on every platform suffers from the same thing?
.
Apparently the difference between how Safari auto fills and how Firefox does it is that on certain fields Safari actually fills in the form fields where Firefox only offers suggestions in a pull down select list. The exploit can only grab the info after it goes into the field. Keep in mind that the form doesn't visually appear on the page. The fields only exist in memory.
That's not good, but I use 1password.
Yep, same here. I also have the keychain turned off and deleted most of my data in it. I strongly suggest people look into either 1Password or LastPass.