Potential security risk uncovered with Safari's autofill

Digital security investigator Jeremiah Grossman has uncovered a problem with Safari, where websites can exploit the autofill feature to get personal information from the sources that Safari uses for Autofill, including the address book and Safari's own autofill database.

As described on Grossman's blog posting, the problem affects both version 4 and version 5 of Safari, and happens because Safari will automatically look for personal information to put in form fields when a user starts entering text in these fields. If the text matches the information Safari uses for autofill, then the program will fill out the remainder of the fields accordingly, highlighting the autofilled information in yellow.

Malicious websites just need to use javacript code to create such fields and then simulate keystroke entries to those fields. When the entered character matches expected information in Safari's autofill, the program will fill out the remaining fields just as if a user has entered the information. This can then be automatically submitted to the website.

Grossman links to a proof-of-concept website that shows this behavior.

For now the safest thing to do is turn off Safari's autofill function, especially if you do not use it regularly. This feature can be found by going to Safari's preferences, then unchecking all options in the "AutoFill" section. Grossman so far has no information regarding Apple's knowledge of this problem, but hopefully this will be fixed soon in an update to both Safari 4 and 5.

Questions? Comments? Have a fix? Post them below or email us!
Be sure to check us out on Twitter and the CNET Mac forums.