Safari AutoFill Security Issue Rears Its Head Once Again
Back in July, security researcher Jeremiah Grossman revealed a security issue that could allow malicious parties to take advantage of Safari's AutoFill feature to extract personal information from users' Address Book entries. At the time, Grossman reported that his report to Apple had gone essentially unacknowledged for nearly a month, but just six days later Apple released Safari 5.0.1 and 4.1.1 to address the problem.
Screenshot of Grossman's proof-of-concept test of new AutoFill exploitGrossman
now reports that he has discovered another similar AutoFill security issue that, while requiring the malicious party to trick users into providing a pair of keystrokes rather than being completely automated as in the previous exploit, offers an even more efficient means for users' personal information to be obtained.
To perform our attack requires tiny bit of end-user trickery. Two button presses to be precise. A malicious website detects (ie: IP address) the country the victim is from. For our purposes here we'll assume the "US." The attacker invisibly (CSS transparency) sets up the aforementioned form and forces the keystroke focus into the country element. Notice how this is done in the video on the right side of the screen, which only visible for demonstration purposes. Next the attacker entices the victim to type "U" (first character of "US") and then press "TAB." And BAM! That's it! Data stolen.
Grossman relates that he notified Apple of the newly-discovered exploit via email on August 10th and again a few days later. One week after that, he received a phone call from an Apple product security engineer with whom he had a "productive chat" about how the original vulnerability report from June had been handled, only to discover at the end of the conversation that the engineer had no idea that Grossman had reported the second issue a week and half prior.
As with the earlier exploit, users can protect themselves by simply turning off the AutoFill option to automatically populate forms with information from their Address Book cards. Grossman notes, however, that he is unsure how Apple plans to address the vulnerability while still maintaining the convenience of the AutoFill feature. While Apple's previous patch allowed Safari to automatically differentiate from the automated JavaScript-simulated keystrokes from real keystrokes, thus thwarting the original exploit, the new exploit relies on tricking the user into actually entering the necessary keystroke, a tactic that could be more difficult to address.
Popular Stories
Apple today released iOS 18.4 and iPadOS 18.4, the fourth major updates to the iOS 18 and iPadOS 18 operating system updates that came out last year. iOS 18.4 and iPadOS 18.4 come two months after Apple released iOS 18.3 and iPadOS 18.3.
Subscribe to the MacRumors YouTube channel for more videos.
The new software can be downloaded on eligible iPhones and iPads over-the-air by going to...
iOS 19 will not be available on the iPhone XR, iPhone XS, or the iPhone XS Max, according a private account on social media site X that has accurately provided information on device compatibility in the past.
The iPhone XR, iPhone XS, and iPhone XS Max all have an A12 Bionic chip, so it looks like iOS 19 will discontinue support for that chip. All other iPhones that run iOS 18 are expected...
While the iPhone 17 Pro and iPhone 17 Pro Max are not expected to launch until September, there are already plenty of rumors about the devices.
Below, we recap key changes rumored for the iPhone 17 Pro models as of March 2025:
Aluminum frame: iPhone 17 Pro models are rumored to have an aluminum frame, whereas the iPhone 15 Pro and iPhone 16 Pro models have a titanium frame, and the iPhone ...
Apple today released new firmware updates for all AirPods 4 and AirPods Pro 2 models. The new firmware is version 7E93, up from the 7B21 firmware that was installed on the AirPods Pro 2 and the 7B20 firmware available on the AirPods 4 and AirPods 4 with ANC.
It is not immediately clear what new features or changes are included in the new firmware, but we'll update this article should we find ...
Apple's big developer event is a little over two months away, and rumors about what we can expect to see in Apple's next major operating system updates are becoming increasingly frequent.
A public release of iOS 18.4 is also imminent with a number of updates and improvements, although we won't be getting the major Apple Intelligence Siri upgrades that had reportedly been planned for this...
Apple today released macOS Sequoia 15.4, the fourth major update to the macOS Sequoia operating system that launched in September. macOS Sequoia 15.4 comes two months after the launch of macOS Sequoia 15.3.
Mac users can download the macOS Sequoia update through the Software Update section of System Settings. It is available for free on all Macs able to run macOS 15.
With...
Multiple sources have claimed that iOS 19 will introduce a new design with more translucent buttons, menus, notification banners, and more, and there is now another clue that points towards this glass-like appearance.
Bloomberg's Mark Gurman today said the new design project is codenamed "Solarium" internally. A solarium is a room with glass walls that allow in plenty of sunlight, so this...
Apple today released watchOS 11.4, the fourth major update to the operating system that runs on the Apple Watch. watchOS 11.4 is compatible with the Apple Watch Series 6 and later, all Apple Watch Ultra models, and the Apple Watch SE 2.
watchOS 11.4 can be downloaded on a connected iPhone by opening up the Apple Watch app and going to General > Software Update. To install the new software,...
