Safari AutoFill Security Issue Rears Its Head Once Again

Back in July, security researcher Jeremiah Grossman revealed a security issue that could allow malicious parties to take advantage of Safari's AutoFill feature to extract personal information from users' Address Book entries. At the time, Grossman reported that his report to Apple had gone essentially unacknowledged for nearly a month, but just six days later Apple released Safari 5.0.1 and 4.1.1 to address the problem.

134256 safari autofill u tab exploit 500
Screenshot of Grossman's proof-of-concept test of new AutoFill exploit

Grossman now reports that he has discovered another similar AutoFill security issue that, while requiring the malicious party to trick users into providing a pair of keystrokes rather than being completely automated as in the previous exploit, offers an even more efficient means for users' personal information to be obtained.

To perform our attack requires tiny bit of end-user trickery. Two button presses to be precise. A malicious website detects (ie: IP address) the country the victim is from. For our purposes here we'll assume the "US." The attacker invisibly (CSS transparency) sets up the aforementioned form and forces the keystroke focus into the country element. Notice how this is done in the video on the right side of the screen, which only visible for demonstration purposes. Next the attacker entices the victim to type "U" (first character of "US") and then press "TAB." And BAM! That's it! Data stolen.

Grossman relates that he notified Apple of the newly-discovered exploit via email on August 10th and again a few days later. One week after that, he received a phone call from an Apple product security engineer with whom he had a "productive chat" about how the original vulnerability report from June had been handled, only to discover at the end of the conversation that the engineer had no idea that Grossman had reported the second issue a week and half prior.

As with the earlier exploit, users can protect themselves by simply turning off the AutoFill option to automatically populate forms with information from their Address Book cards. Grossman notes, however, that he is unsure how Apple plans to address the vulnerability while still maintaining the convenience of the AutoFill feature. While Apple's previous patch allowed Safari to automatically differentiate from the automated JavaScript-simulated keystrokes from real keystrokes, thus thwarting the original exploit, the new exploit relies on tricking the user into actually entering the necessary keystroke, a tactic that could be more difficult to address.

Popular Stories

iPhone 17 Pro Blue Feature Tighter Crop

iPhone 17 Pro Launching Later This Year With These 13 New Features

Wednesday April 23, 2025 8:31 am PDT by
While the iPhone 17 Pro and iPhone 17 Pro Max are not expected to launch until September, there are already plenty of rumors about the devices. Below, we recap key changes rumored for the iPhone 17 Pro models as of April 2025: Aluminum frame: iPhone 17 Pro models are rumored to have an aluminum frame, whereas the iPhone 15 Pro and iPhone 16 Pro models have a titanium frame, and the iPhone ...
iphone 17 dummies sonny dickson

iPhone 17 Air Almost as Thin as Its Buttons, New Images Show

Thursday April 24, 2025 2:14 am PDT by
If you missed the video showing dummy models of Apple's all-new super thin iPhone 17 Air that's expected later this year, Sonny Dickson this morning shared some further images of the device in close alignment with the other dummy models in the iPhone 17 lineup, indicating just how thin it is likely to be in comparison. The iPhone 17 Air is expected to be around 5.5mm thick – with a thicker ...
iPhone 17 Air Pastel Feature

iPhone 17 Air Launching Later This Year With These 16 New Features

Thursday April 24, 2025 8:24 am PDT by
While the so-called "iPhone 17 Air" is not expected to launch until September, there are already plenty of rumors about the ultra-thin device. Overall, the iPhone 17 Air sounds like a mixed bag. While the device is expected to have an impressively thin and light design, rumors indicate it will have some compromises compared to iPhone 17 Pro models, including only a single rear camera, a...
AirPods Pro 3 Mock Feature

AirPods Pro 3 Just Months Away – Here's What We Know

Friday April 18, 2025 5:16 am PDT by
Despite being more than two years old, Apple's AirPods Pro 2 still dominate the premium wireless‑earbud space, thanks to a potent mix of top‑tier audio, class‑leading noise cancellation, and Apple's habit of delivering major new features through software updates. With AirPods Pro 3 widely expected to arrive in 2025, prospective buyers now face a familiar dilemma: snap up the proven...
iphone 17 air dummy unbox therapy

iPhone 17 Air's Extreme Thinness Demoed in New Video

Tuesday April 22, 2025 10:22 am PDT by
Apple plans to release an all-new super thin iPhone this year, debuting it alongside the iPhone 17, iPhone 17 Pro, and iPhone 17 Pro Max. We've seen pictures of dummy models, cases, and renders with the design, but Lewis Hilsenteger of Unbox Therapy today showed off newer dummy models that give us a better idea of just how thin the "iPhone 17 Air" will be. The iPhone 17 Air is expected to be ...
Global Close Your Rings Day Pin

Apple Stores Giving Away a Limited-Edition Pin For Free Today

Thursday April 24, 2025 10:15 am PDT by
Starting today, April 24, Apple Stores around the world are giving away a special pin for free to customers who request one, while supplies last. Photo Credit: Filip Chudzinski The enamel pin's design is inspired by the Global Close Your Rings Day award in the Activity app, which Apple Watch users can receive by closing all three Activity rings today. The limited-edition pin is the physical...
Apple Logo Spotlight Blue

White House Hits Back at Apple's Massive EU Fine

Thursday April 24, 2025 5:57 am PDT by
Apple's $570 million fine from the EU has triggered a sharp rebuke from the White House, which called the fine a form of economic extortion, Reuters reports. The fine was announced on Wednesday by the European Commission, following a formal investigation into Apple's compliance with the bloc's Digital Markets Act (DMA), a landmark piece of legislation aimed at curbing the market dominance of ...
ipad air magic keyboard feature

iPadOS 19 Rumored to Show Mac-Like Menu Bar When Connected to Magic Keyboard

Thursday April 24, 2025 12:09 pm PDT by
When an iPad running iPadOS 19 is connected to a Magic Keyboard, a macOS-like menu bar will appear on the screen, according to the leaker Majin Bu. This change would further blur the lines between the iPad and the Mac. Bloomberg's Mark Gurman previously claimed that iPadOS 19 will be "more like macOS," with unspecified improvements to productivity, multitasking, and app window management,...