Safari AutoFill Security Issue Rears Its Head Once Again
Back in July, security researcher Jeremiah Grossman revealed a security issue that could allow malicious parties to take advantage of Safari's AutoFill feature to extract personal information from users' Address Book entries. At the time, Grossman reported that his report to Apple had gone essentially unacknowledged for nearly a month, but just six days later Apple released Safari 5.0.1 and 4.1.1 to address the problem.
Screenshot of Grossman's proof-of-concept test of new AutoFill exploitGrossman
now reports that he has discovered another similar AutoFill security issue that, while requiring the malicious party to trick users into providing a pair of keystrokes rather than being completely automated as in the previous exploit, offers an even more efficient means for users' personal information to be obtained.
To perform our attack requires tiny bit of end-user trickery. Two button presses to be precise. A malicious website detects (ie: IP address) the country the victim is from. For our purposes here we'll assume the "US." The attacker invisibly (CSS transparency) sets up the aforementioned form and forces the keystroke focus into the country element. Notice how this is done in the video on the right side of the screen, which only visible for demonstration purposes. Next the attacker entices the victim to type "U" (first character of "US") and then press "TAB." And BAM! That's it! Data stolen.
Grossman relates that he notified Apple of the newly-discovered exploit via email on August 10th and again a few days later. One week after that, he received a phone call from an Apple product security engineer with whom he had a "productive chat" about how the original vulnerability report from June had been handled, only to discover at the end of the conversation that the engineer had no idea that Grossman had reported the second issue a week and half prior.
As with the earlier exploit, users can protect themselves by simply turning off the AutoFill option to automatically populate forms with information from their Address Book cards. Grossman notes, however, that he is unsure how Apple plans to address the vulnerability while still maintaining the convenience of the AutoFill feature. While Apple's previous patch allowed Safari to automatically differentiate from the automated JavaScript-simulated keystrokes from real keystrokes, thus thwarting the original exploit, the new exploit relies on tricking the user into actually entering the necessary keystroke, a tactic that could be more difficult to address.
Popular Stories
Apple will launch its new iPhone 17 series in two months, and the iPhone 17 Pro models are expected to get a new design for the rear casing and the camera area. But more significant changes to the lineup are not expected until next year, when the iPhone 18 models arrive.
If you're thinking of trading in your iPhone for this year's latest, consider the following features rumored to be coming...
A new Apple TV is expected to be released later this year, and a handful of new features and changes have been rumored for the device.
Below, we recap what to expect from the next Apple TV, according to rumors.
Rumors
Faster Wi-Fi Support
The next Apple TV will be equipped with Apple's own combined Wi-Fi and Bluetooth chip, according to Bloomberg's Mark Gurman. He said the chip supports ...
Apple's next-generation iPhone 17 Pro and iPhone 17 Pro Max are only two months away, and there are plenty of rumors about the devices.
Below, we recap key changes rumored for the iPhone 17 Pro models.
Latest Rumors
These rumors surfaced in June and July:A redesigned Dynamic Island: It has been rumored that all iPhone 17 models will have a redesigned Dynamic Island interface — it might ...
Apple does not plan to refresh any Macs with updated M5 chips in 2025, according to Bloomberg's Mark Gurman. Updated MacBook Air and MacBook Pro models are now planned for the first half of 2026.
Gurman previously said that Apple would debut the M5 MacBook Pro models in late 2025, but his newest report suggests that Apple is "considering" pushing them back to 2026. Apple is now said to be...
iPhone 17 Pro and iPhone 17 Pro Max models with displays made by BOE will be sold exclusively in China, according to a new report.
Last week, it emerged that Chinese display manufacturer BOE was aggressively ramping up its OLED production capacity for future iPhone models as part of a plan to recapture a major role in Apple's supply chain.
Now, tech news aggregator Jukan Choi reports...
The long wait for an Apple Watch Ultra 3 is nearly over, and a handful of new features and changes have been rumored for the device.
Below, we recap what to expect from the Apple Watch Ultra 3:Satellite connectivity for sending and receiving text messages when Wi-Fi and cellular coverage is unavailable
5G support, up from LTE on the Apple Watch Ultra 2
Likely a wide-angle OLED display that ...
In select U.S. states, residents can add their driver's license or state ID to the Wallet app on the iPhone and Apple Watch, providing a convenient and contactless way to display proof of identity or age at select airports and businesses, and in select apps.
Unfortunately, this feature continues to roll out very slowly since it was announced in 2021, with only nine U.S. states, Puerto Rico,...
The iPhone 17 and iPhone 17 Air will be available in a total of nine color options, according to new information coming out of Asia.
The iPhone 17 Air's expected color options.
According to the leaker going by the account name "yeux1122" on the Korean blog Naver, accessory manufacturers are now producing camera protector rings for the iPhone 17 and iPhone 17 Air in colors to match their...
