Safari AutoFill Security Issue Rears Its Head Once Again
Back in July, security researcher Jeremiah Grossman revealed a security issue that could allow malicious parties to take advantage of Safari's AutoFill feature to extract personal information from users' Address Book entries. At the time, Grossman reported that his report to Apple had gone essentially unacknowledged for nearly a month, but just six days later Apple released Safari 5.0.1 and 4.1.1 to address the problem.
Screenshot of Grossman's proof-of-concept test of new AutoFill exploitGrossman
now reports that he has discovered another similar AutoFill security issue that, while requiring the malicious party to trick users into providing a pair of keystrokes rather than being completely automated as in the previous exploit, offers an even more efficient means for users' personal information to be obtained.
To perform our attack requires tiny bit of end-user trickery. Two button presses to be precise. A malicious website detects (ie: IP address) the country the victim is from. For our purposes here we'll assume the "US." The attacker invisibly (CSS transparency) sets up the aforementioned form and forces the keystroke focus into the country element. Notice how this is done in the video on the right side of the screen, which only visible for demonstration purposes. Next the attacker entices the victim to type "U" (first character of "US") and then press "TAB." And BAM! That's it! Data stolen.
Grossman relates that he notified Apple of the newly-discovered exploit via email on August 10th and again a few days later. One week after that, he received a phone call from an Apple product security engineer with whom he had a "productive chat" about how the original vulnerability report from June had been handled, only to discover at the end of the conversation that the engineer had no idea that Grossman had reported the second issue a week and half prior.
As with the earlier exploit, users can protect themselves by simply turning off the AutoFill option to automatically populate forms with information from their Address Book cards. Grossman notes, however, that he is unsure how Apple plans to address the vulnerability while still maintaining the convenience of the AutoFill feature. While Apple's previous patch allowed Safari to automatically differentiate from the automated JavaScript-simulated keystrokes from real keystrokes, thus thwarting the original exploit, the new exploit relies on tricking the user into actually entering the necessary keystroke, a tactic that could be more difficult to address.
Popular Stories
iOS 17.2 has been in beta testing for over a month, and it should be released to all users in a few more weeks. The software update includes many new features and changes for iPhones, including the dozen that we have highlighted below. iOS 17.2 is expected to be released to the public in mid-December. To learn about even more features coming in the update, check out our full list. Journal ...
Anker's Black Friday/Cyber Week event is entering its final days this weekend, and it's still offering up to 60 percent off sitewide. There are also a few "mystery boxes" that can include hundreds of dollars in savings, if you're willing to risk not knowing what you're buying ahead of time. All of these sales will end on December 3. Note: MacRumors is an affiliate partner with Anker. When you...
Apple made the first beta of iOS 17.2 available to developers in October. Since then we've seen three more betas, and with each iteration Apple continues to add more new features and changes, many of which users have been anticipating for quite a while. Below, we've listed 28 new things that are coming to your iPhone when the finalized version is publicly released this December. 1. Help...
Apple employees are back to work following a Thanksgiving break, and that means this week saw a number of new operating system updates for both public release and beta testing. This week also saw some misinformation about Apple's new NameDrop feature making the rounds, while Apple and Goldman Sachs appear to be on the verge of a break-up in their Apple Card and savings account partnership,...
Earlier this month, Apple announced that it will finally support RCS in the Messages app on the iPhone starting later next year. This change will result in several improvements to the messaging experience between iPhones and Android devices. RCS will become the new default standard for messaging between iPhones and Android devices, but these conversations will still have green bubbles like...
Best Buy is discounting a collection of MacBook Air and MacBook Pro models to all-time low prices today. We're tracking these deals below in addition to great discounts on the Apple Pencil 2 and Apple Watch Ultra 1. MacBook Air Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a purchase, we may receive a small payment, which helps us keep the...
The release of the iPhone 15 Pro and Pro Max saw the introduction of an entirely new user-configurable button known as the Action button, and now, MacRumors has seen extensive evidence confirming Apple is planning to include the Action button on the entire iPhone 16 range. Designs and plans for the Action button date back to at least 2021, as the button was intended for release alongside hapt...
