Apple Safari: Browser’s AutoFill Feature Could Have Security Flaw

By Jamie Pert - Jul 22, 2010

In a previous article, we reported how Apple were top of the security flaws and vulnerabilities list, and with new information we have found out today regarding the AutoFill feature on Apple’s Safari browser, it further concludes that the report was indeed correct.

The problem has apparently been around for about a year, but was only known to those ‘in the know’ as it were, which makes the issue slightly more ridiculous than it would under normal circumstances.

You should all know what AutoFill actually does, if you don’t then we will put it in the most simplistic form. It AutoFills fields in forms, remembering your past inputs depending on the fields you filled in such as name, email address, telephone number, and so on and so forth.

This is more commonly known as Auto-Complete, but with the screenshot below, Safari uses data from a stored Address Book card on the operating system to gather this information if selected.

Jeremiah Grossman explains it a whole lot better:

“These fields are AutoFill’ed using data from the users personal record in the local operating system address book. Again it is important to emphasize this feature works even though a user never entered this data on any website. Also this behavior should not be confused with normal auto-complete data a Web browser may remember after its typed into a form.”

But this is where the problem resides. Grossman explains this by saying:

“All a malicious website would have to do to surreptitiously extract Address Book card data from Safari is dynamically create form text fields with the aforementioned names, probably invisibly, and then simulate A-Z keystroke events using JavaScript. When data is populated, that is AutoFill’ed, it can be accessed and sent to the attacker.”

Basically, unselecting a few boxes and options within the browser won’t be able to prevent being attacked, you will need to uncheck ALL options that are categorized with the AutoFill system. The AutoFill system is on by default, so it may be time to check exactly what options you have set.

Grossman did notify Apple about the security flaw around a month ago, but has yet to hear anything back from the iPhone bigwigs.

What do you make of the security flaw? Have you changed your settings now?

Source: SlashGear

Follow us on Facebook, Twitter or Google Plus.

Also See: Apple Update Safari: Download 5.0.4 for Improved Security