Safari AutoFill Security Issue Rears Its Head Once Again
Back in July, security researcher Jeremiah Grossman revealed a security issue that could allow malicious parties to take advantage of Safari's AutoFill feature to extract personal information from users' Address Book entries. At the time, Grossman reported that his report to Apple had gone essentially unacknowledged for nearly a month, but just six days later Apple released Safari 5.0.1 and 4.1.1 to address the problem.
Screenshot of Grossman's proof-of-concept test of new AutoFill exploitGrossman
now reports that he has discovered another similar AutoFill security issue that, while requiring the malicious party to trick users into providing a pair of keystrokes rather than being completely automated as in the previous exploit, offers an even more efficient means for users' personal information to be obtained.
To perform our attack requires tiny bit of end-user trickery. Two button presses to be precise. A malicious website detects (ie: IP address) the country the victim is from. For our purposes here we'll assume the "US." The attacker invisibly (CSS transparency) sets up the aforementioned form and forces the keystroke focus into the country element. Notice how this is done in the video on the right side of the screen, which only visible for demonstration purposes. Next the attacker entices the victim to type "U" (first character of "US") and then press "TAB." And BAM! That's it! Data stolen.
Grossman relates that he notified Apple of the newly-discovered exploit via email on August 10th and again a few days later. One week after that, he received a phone call from an Apple product security engineer with whom he had a "productive chat" about how the original vulnerability report from June had been handled, only to discover at the end of the conversation that the engineer had no idea that Grossman had reported the second issue a week and half prior.
As with the earlier exploit, users can protect themselves by simply turning off the AutoFill option to automatically populate forms with information from their Address Book cards. Grossman notes, however, that he is unsure how Apple plans to address the vulnerability while still maintaining the convenience of the AutoFill feature. While Apple's previous patch allowed Safari to automatically differentiate from the automated JavaScript-simulated keystrokes from real keystrokes, thus thwarting the original exploit, the new exploit relies on tricking the user into actually entering the necessary keystroke, a tactic that could be more difficult to address.
Popular Stories
Apple seeded the second iOS 26.2 Release Candidate to developers earlier this week, meaning the update will be released to the general public very soon.
Apple confirmed iOS 26.2 would be released in December, but it did not provide a specific date. We expect the update to be released by early next week.
iOS 26.2 includes a handful of new features and changes on the iPhone, such as a new...
Google Maps on iOS quietly gained a new feature recently that automatically recognizes where you've parked your vehicle and saves the location for you.
Announced on LinkedIn by Rio Akasaka, Google Maps' senior product manager, the new feature auto-detects your parked location even if you don't use the parking pin function, saves it for up to 48 hours, and then automatically removes it once...
Apple has ordered 22 million OLED panels from Samsung Display for the first foldable iPhone, signaling a significantly larger production target than the display industry had previously anticipated, ET News reports.
In the now-seemingly deleted report, ET News claimed that Samsung plans to mass-produce 11 million inward-folding OLED displays for Apple next year, as well as 11 million...
Apple today released new firmware designed for the AirPods Pro 3 and the prior-generation AirPods Pro 2. The AirPods Pro 3 firmware is 8B30, up from 8B25, while the AirPods Pro 2 firmware is 8B28, up from 8B21.
There's no word on what's include in the updated firmware, but the AirPods Pro 2 and AirPods Pro 3 are getting expanded support for Live Translation in the European Union in iOS...
Apple is about to release iOS 26.2, the second major point update for iPhones since iOS 26 was rolled out in September, and there are at least 15 notable changes and improvements worth checking out. We've rounded them up below.
Apple is expected to roll out iOS 26.2 to compatible devices sometime between December 8 and December 16. When the update drops, you can check Apple's servers for the ...
The AirTag 2 will include a handful of new features that will improve tracking capabilities, according to a new report from Macworld. The site says that it was able to access an internal build of iOS 26, which includes references to multiple unreleased products.
Here's what's supposedly coming:
An improved pairing process, though no details were provided. AirTag pairing is already...
Apple today seeded the second release candidate version of iOS 26.2 to developers and public beta testers, with the software coming one week after Apple seeded the first RC. The release candidate represents the final version iOS 26.2 that will be provided to the public if no further bugs are found.
Registered developers and public beta testers can download the betas from the Settings app on...
Apple is actively testing under-screen Face ID for next year's iPhone 18 Pro models using a special "spliced micro-transparent glass" window built into the display, claims a Chinese leaker.
According to "Smart Pikachu," a Weibo account that has previously shared accurate supply-chain details on Chinese Android hardware, Apple is testing the special glass as a way to let the TrueDepth...
Wednesday December 10, 2025 12:22 pm PST by
Juli CloverThe next-generation low-cost iPad will use Apple's A19 chip, according to a report from Macworld. Macworld claims to have seen an "internal Apple code document" with information about the 2026 iPad lineup.
Prior documentation discovered by MacRumors suggested that the iPad 12 would be equipped with an A18 chip, not an A19 chip. The A19 chip was just released this year in the iPhone 17, and...
Apple's next-generation Studio Display is expected to arrive early next year, and a new report allegedly provides a couple more details on the external monitor's capabilities.
According to internal Apple code seen by Macworld, the new external display will feature a variable refresh rate capable of up to 120Hz – aka ProMotion – as well as support for HDR content. The current Studio...
