Potential security risk uncovered with Safari's autofill

Digital security investigator Jeremiah Grossman has uncovered a problem with Safari, where websites can exploit the autofill feature to get personal information from the sources that Safari uses for Autofill, including the address book and Safari's own autofill database.

Digital security investigator Jeremiah Grossman has uncovered a problem with Safari, where websites can exploit the autofill feature to get personal information from the sources that Safari uses for Autofill, including the address book and Safari's own autofill database.

As described on Grossman's blog posting, the problem affects both version 4 and version 5 of Safari, and happens because Safari will automatically look for personal information to put in form fields when a user starts entering text in these fields. If the text matches the information Safari uses for autofill, then the program will fill out the remainder of the fields accordingly, highlighting the autofilled information in yellow.

Malicious websites just need to use javacript code to create such fields and then simulate keystroke entries to those fields. When the entered character matches expected information in Safari's autofill, the program will fill out the remaining fields just as if a user has entered the information. This can then be automatically submitted to the website.

AutoFill Preferences
Uncheck these boxes in Safari's preferences to turn off AutoFill.

Grossman links to a proof-of-concept website that shows this behavior.

For now the safest thing to do is turn off Safari's autofill function, especially if you do not use it regularly. This feature can be found by going to Safari's preferences, then unchecking all options in the "AutoFill" section. Grossman so far has no information regarding Apple's knowledge of this problem, but hopefully this will be fixed soon in an update to both Safari 4 and 5.



Questions? Comments? Have a fix? Post them below or email us!
Be sure to check us out on Twitter and the CNET Mac forums.

About the author

    Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.

     

    Discuss Potential security risk uncovered with Safari's autofill

    Conversation powered by Livefyre

    Show Comments Hide Comments