Safari AutoFill Security Issue Rears Its Head Once Again
Back in July, security researcher Jeremiah Grossman revealed a security issue that could allow malicious parties to take advantage of Safari's AutoFill feature to extract personal information from users' Address Book entries. At the time, Grossman reported that his report to Apple had gone essentially unacknowledged for nearly a month, but just six days later Apple released Safari 5.0.1 and 4.1.1 to address the problem.
Screenshot of Grossman's proof-of-concept test of new AutoFill exploit
Grossman now reports that he has discovered another similar AutoFill security issue that, while requiring the malicious party to trick users into providing a pair of keystrokes rather than being completely automated as in the previous exploit, offers an even more efficient means for users' personal information to be obtained.
As with the earlier exploit, users can protect themselves by simply turning off the AutoFill option to automatically populate forms with information from their Address Book cards. Grossman notes, however, that he is unsure how Apple plans to address the vulnerability while still maintaining the convenience of the AutoFill feature. While Apple's previous patch allowed Safari to automatically differentiate from the automated JavaScript-simulated keystrokes from real keystrokes, thus thwarting the original exploit, the new exploit relies on tricking the user into actually entering the necessary keystroke, a tactic that could be more difficult to address.
Screenshot of Grossman's proof-of-concept test of new AutoFill exploit
Grossman now reports that he has discovered another similar AutoFill security issue that, while requiring the malicious party to trick users into providing a pair of keystrokes rather than being completely automated as in the previous exploit, offers an even more efficient means for users' personal information to be obtained.
To perform our attack requires tiny bit of end-user trickery. Two button presses to be precise. A malicious website detects (ie: IP address) the country the victim is from. For our purposes here we'll assume the "US." The attacker invisibly (CSS transparency) sets up the aforementioned form and forces the keystroke focus into the country element. Notice how this is done in the video on the right side of the screen, which only visible for demonstration purposes. Next the attacker entices the victim to type "U" (first character of "US") and then press "TAB." And BAM! That's it! Data stolen.
Grossman relates that he notified Apple of the newly-discovered exploit via email on August 10th and again a few days later. One week after that, he received a phone call from an Apple product security engineer with whom he had a "productive chat" about how the original vulnerability report from June had been handled, only to discover at the end of the conversation that the engineer had no idea that Grossman had reported the second issue a week and half prior.As with the earlier exploit, users can protect themselves by simply turning off the AutoFill option to automatically populate forms with information from their Address Book cards. Grossman notes, however, that he is unsure how Apple plans to address the vulnerability while still maintaining the convenience of the AutoFill feature. While Apple's previous patch allowed Safari to automatically differentiate from the automated JavaScript-simulated keystrokes from real keystrokes, thus thwarting the original exploit, the new exploit relies on tricking the user into actually entering the necessary keystroke, a tactic that could be more difficult to address.
Top Rated Comments
(View all)
22 months ago
aw crap. man i'm all depressed now. went from hey! there's a 7 inch ipad coming to hey! safari just sent all your info to bangladesh. :rolleyes:
22 months ago
Maybe it's time to just disable AutoFill until the security issues are completely fixed.
22 months ago
Can someone please tell me how the ability to obtain my name and address is a huge security threat? They can grab a phone book and get a bunch of that kind of info with far less effort.
Not sure what the big deal is. It's not like the Address book info contains credit card and Social Security numbers. :confused:
Not sure what the big deal is. It's not like the Address book info contains credit card and Social Security numbers. :confused:
22 months ago
Why are people visiting these malicious sites anyway? To me the best security is to only go to respected, well-known sites. It's like walking though the bad part of the neighborhood at night. Bad things may happen.
22 months ago
Why are people visiting these malicious sites anyway? To me the best security is to only go to respected, well-known sites. It's like walking though the bad part of the neighborhood at night. Bad things may happen.
I agree with you, but as a pre-caution I tuned off Autofill from my Safari browser, Chrome Browser and Mobile Safari Browser a long time ago (before the story came out in June) just because I never trusted that feature.
22 months ago
Why are people visiting these malicious sites anyway?
I think the implication was that this could be implanted onto an otherwise reputable site if it could be broken into.
Can someone please tell me how the ability to obtain my name and address is a huge security threat? They can grab a phone book and get a bunch of that kind of info with far less effort.
Because it ties your name and address to an IP address.
22 months ago
So let me get this straight... you have an autofill feature and you think it's a security bug because the user typed data into a cell that has focus, pressed tab to switch cells which triggers the auto-completion.
That is the entire point of auto-completion and is available in every browser.
The fact that it's on by default in Safari is where the potential problem exists.
That is the entire point of auto-completion and is available in every browser.
The fact that it's on by default in Safari is where the potential problem exists.
22 months ago
This is not a Mac/PC thing or even a Safari issue. It applies to all browsers
The way any browser should handle auto fill is to NEVER write information to parts of the screen that cannot be seen. This means even if the windows is covered by another window.
Next it might be good if all browsers asked before they sent any data the user did not type in, himself by hand. Pop-ups are annoying but the auto fill process might add something that forces the user to verify that the information entered is correct and desired.
The way any browser should handle auto fill is to NEVER write information to parts of the screen that cannot be seen. This means even if the windows is covered by another window.
Next it might be good if all browsers asked before they sent any data the user did not type in, himself by hand. Pop-ups are annoying but the auto fill process might add something that forces the user to verify that the information entered is correct and desired.
22 months ago
Sounds like a pretty easy fix: don't autofill form elements that aren't visible to the user.
[ Read All Comments ]
Our sister-site TouchArcade notes that Chillingo's excellent physics puzzler Feed Me Oil is free today for both the iPhone and iPad. It's normally $0.99 for iPhone and $1.99 for iPad....
Several years ago, Comcast began instituting bandwidth caps of 250GB per month on its residential customers. In 2008, this was plenty for most customers, but with the advent of streaming video...
Reuters reports that China Mobile Chairman Xi Guohua has once again publicly stated that the world's largest mobile phone carrier is engaged in talks with Apple about offering the iPhone to its...
Apple has filed a motion to dismiss in a case filed by customers over alleged misleading advertising depicting the Siri technology in the iPhone 4S. The lawsuit, filed in March, alleges that...
The American Customer Satisfaction Index (ASCI) today released its latest rankings of customer satisfaction in the United States for mobile phones and a number of products and services, with the new...
