Expert Warns Over Apple Safari AutoFill Vulnerability

The AutoFill feature in Apple’s Safari web browser could be used to steal user information, according to the findings from a security researcher.

Jeremiah Grossman, CTO of WhiteHat Security, noted that in Safari version 4 or 5, the AutoFill feature fills in information such as email addresses and names by default whenever it recognises a form. The data is pulled from Safari’s local operating system address book, and the process occurs whether a person has entered the data on any website before or not.

“All a malicious website would have to do to surreptitiously extract Address Book card data from Safari is dynamically create form text fields with the aforementioned names, probably invisibly, and then simulate A-Z keystroke events using JavaScript,” Grossman wrote. “When data is populated, that is AutoFill’ed, it can be accessed and sent to the attacker.”

Major Privacy Breach

This should not be confused with the normal auto-complete data a website may remember after data is typed into a form, he added.

Citing proof-of-concept code from security researcher and SecTheory CEO Robert “RSnake” Hansen, Grossman called the process is a “major breach in online privacy” and wrote that the issue could utilised in multistage attacks including email spam and spear phishing.

“Fortunately any AutoFill data starting with a number, such as phone numbers or street addresses, could not be obtained because for some reason the data would not populate in the text field,” he noted. “Still, such attacks could be easily and cheaply distributed on a mass scale using an advertising network where likely no one would ever notice because it’s not exploit code designed to deliver rootkit payload. In fact, there is no guarantee this has not already taken place.”

No Apple Response

Grossman said he disclosed the issue to Apple 17 June, but only received an automated response in return.

Safari users concerned about the issue can disable AutoFill web forms to prevent the situation.