Breaking News: Research key to good apps: Westpac CIO

ZDNet / Security / Story

Safari autofill exploit exposes user data

By on July 23rd, 2010 

Topics

security, apple, safari, browser

Top related stories

Apple's new Safari fixes 44 holes

Apple's new Safari fixes 44 holes

Chrome, Safari taking browser share

Chrome, Safari taking browser share

Apple adds features to Safari browser

Apple adds features to Safari browser

Related gallery

AusCERT 2012 pics: Vaders and Terminators

AusCERT 2012 pics: Vaders and Terminators

Related video

A closer look at iOS 5

A closer look at iOS 5

Submit

The autofill option in Apple's Safari browser can expose personal data without the user's consent, a security researcher reported on Wednesday.

It remains unclear as to whether the problem affects Safari specifically or all WebKit-based browsers, which include Google Chrome. It's recommended that Safari and Chrome users disable the autofill feature immediately, until further notice.

Jeremiah Grossman, the chief technical officer of WhiteHat Security, documented the exploit in a blog post on Wednesday, saying that it affects both the current version of Safari, version 5, and the legacy version, Safari 4. He said that the exploit is severe enough that a malicious website can access autofill information from Safari without the user entering in any personal information on the site, or even if the user had never visited the site previously.

A malicious website would only have to create dynamic form text fields with appropriate names, such as "address" or "credit card", and simulate A-Z keystrokes using JavaScript, and then the data would be filled in automatically, Grossman said in the blog post. This would work, he said, even if the text fields were hidden from the visitor's view. He also added that he notified Apple of the security breach on 17 June in accordance with accepted "best behaviour" practices for security researchers, but received only an automatic response.

But it looks like the exploit may not be new. In a blog post from April 2009, Swiss security researcher Patrice Neff uncovered a strikingly similar exploit, which went unnoticed by many people, where Safari would submit a birthday without the user's consent. Neff was able to write a script that could harvest that information from Safari browsers. It's not clear at this point whether the exploits are identical, or just have similar-looking outcomes.

Regardless, the exploit highlights the risk in using automatic data-filling technology without stronger security controls. Users can disable autofill in Safari by going to Preferences, AutoFill and AutoFill web forms. In Chrome, go to the "wrench" menu, choose Options, Personal Stuff and click the AutoFill button. The exploit does not appear at this time to affect the mobile Safari on iOS, or the WebKit-based browser on Android.

Apple's official statement on the autofill vulnerability did not address specifics. "We take security and privacy very seriously. We're aware of the issue and working on a fix," said an Apple representative.

Google did not immediately return a request for comment.

Via CNET

Talkback

Add your opinion

In order to post a comment, you need to be registered. (Sign In or register below)

Post your comment

Terms of Service - As a ZDNet registrant, and by using this service, you indicate that you agree to our Terms and Conditions and have read and understand our Privacy Policy.

Tech Blueprint

IT Priorities Special Report: Security

Emerging Technologies, and the New IT Security Landscape

IDC White Paper on Consumerisation Security

Get expert advice for developing or improving your BYOD security strategy.
Read white paper >

Mobile Trends and Perceptions

Survey by Decisive Analytics exposes the good and bad realities of BYOD.
Read analyst report >

ZDNet Australia Live

CIOview Research key to good apps: Westpac CIO - ZDNet Australia http://t.co/jRacRqbU

iPad news: Research key to good apps: Westpac CIO - ZDNet Australia http://t.co/coXq00rx

RT @zdnetaustralia Westpac: knowing the device and a user's behaviour is key to developing a good app: http://t.co/o5GXQhGj ^LH

Westpac: knowing the device and a user's behaviour is key to developing a good app: http://t.co/1FxHn0kT ^LH

Research key to good #apps: #Westpac CIO http://t.co/0T0xmWfl #mobile #android #iphone

surprised that #DHS labelled BYOD immature. i'm thinking the "for us" is a closer reflection of market readiness http://t.co/4cLnsFiE

SAP eyes #cloud super network with Ariba buy: SAP America is looking to develop "the business network of the fut... http://t.co/t3a2MOGj

by http://t.co/vmlLt4bh: Research key to good apps: Westpac CIO: Westpac announced yesterday that it has over a m... http://t.co/ua2LT4xZ

RT @Maynardcomau: I missed this story on the ABC website http://t.co/uBoQw8mh

Research key to good apps: Westpac CIO http://t.co/KFfxHxDO

Research key to good apps: Westpac CIO: Westpac announced yesterday that it has over a million users actively si... http://t.co/QAGGwpWu

Research key to good apps: Westpac CIO - ZDNet Australia: Research key to good apps: Westpac CIOZDNet AustraliaW... http://t.co/JJ9mYDXF

RT @zdnetaustralia: SuccessFactors launches Sydney datacentre to host BizX suite for local customers http://t.co/xKvbJnNj ^ST

RT @zdnetaustralia: SAP buys Ariba http://t.co/cQy8nVWp ^ST

SuccessFactors launches Sydney datacentre - Hardware - News - ZDNet Australia | @scoopit http://t.co/B7cK54tF

Research key to good apps: Westpac CIO: Westpac announced yesterday that it has over a million users actively si... http://t.co/0b9GEFrY

SuccessFactors launches Sydney datacentre to host BizX suite for local customers http://t.co/xKvbJnNj ^ST

SuccessFactors launches #Sydney datacentre - @ZDNet Australia : http://t.co/qyzZ4zZN

@Wow - thats one of the benefits of the iPad (and tablets in general). They are one of the most generation neutral products ever made. ...

41 minutes ago by Gav on Westpac board goes paperless with iPads

by http://t.co/vmlLt4bh: Kaspersky's antivirus denied on iOS: Kaspersky Lab is the latest company to be denied th... http://t.co/GpQkVZ2C

A farewell to democracy: Kaspersky http://t.co/VAIQbbXY

@mikey_halapir http://t.co/VOegcFoc FOUND IT.

Android's biggest security flaws http://t.co/00YQDw9T

SuccessFactors launches Sydney datacentre http://t.co/wdofhAGS

#DataCentre SuccessFactors launches Sydney datacentre - ZDNet Australia: SuccessFactors launches Sydney datacent... http://t.co/ajyQKEPL

SuccessFactors launches Sydney datacentre - ZDNet Australia: SuccessFactors launches Sydney datacentreZDNet Aust... http://t.co/VpHzoKJc

Kaspersky is now yet another company that Apple won't let make an official AV app for iOS. http://t.co/E0CsunQ1

and why is this such a super idea? http://www.itnews.com.au/News/301778,thousands-affected-in-billing-cloud-breach.aspx oh, yeah, right...

58 minutes ago by btone on Fed Govt steps up on shared cloud plan

SAP eyes cloud super network with Ariba buy: By Rachel King, ZDNet US on May 23rd, 2012 (5 mins ago) SAP America... http://t.co/gHVI2Q1x

BYOD too immature for us: Human Services http://t.co/d5bL19GZ via @zdnetaustralia

Kaspersky's antivirus denied on iOS: Kaspersky Lab is the latest company to be denied the chance to develop an o... http://t.co/ik2mlpZR

Dell profits plunge in spending lull - Hardware - News - ZDNet Australia | @scoopit http://t.co/iqiQnzox

Automation key for time-poor security boffins http://t.co/qyCXzOwl via @zdnetaustralia

Dell is suffering falling profits as companies hold off on their spending. http://t.co/iK5YBTSN ^ST

Kaspersky's antivirus denied on iOS: Kaspersky Lab is the latest company to be denied the chance to develop an o... http://t.co/0UnTxMKq

Fed Gov unveils draft strategy for "community clouds" http://t.co/9vQcu2AG via @zdnetaustralia #cloud <- specialised availability zones

Wow, seems like a fantastic initiative that helps to save the environment. It must have taken a lot of convincing to get the Board to mov...

1 hour ago by Wow on Westpac board goes paperless with iPads

SAP buys Ariba http://t.co/cQy8nVWp ^ST

I'm a payed up lib member who has voted Labor in the last 2 federal elections. I had the previlege of speaking to Mr Turnball 3 months ag...

2 hours ago by spazmanaught on NBN contracts may be left alone: Turnbull

Good to see Westpac's concentrating on the real IT issues !

2 hours ago by jeff_syd on Westpac board goes paperless with iPads

I am not sure how this issue becomes an attack on Mr Turnbull. But I guess he is fair game. In any event I would have thought a Ddos woul...

12 hours ago by Doubt on National Botnet Network coming: Earthwave

I still use 98SE. Windows ME was an abortion in a bucket and Vista was ME without the bucket. My screen may look boring, but I jumped str...

13 hours ago by Treknology on Microsoft admits Vista was 'cheesy'

This story has been voted 10 times in the last 24 hours!

13 hours ago, CeBIT 2012 opens: photos

This story has been voted 15 times in the last 24 hours!

13 hours ago, Lenovo ThinkPad 3G tablet (32GB)

Well I don't know what they have done with their EFTPOS machines, local one in WA Coles Express I used this morning and I normally do "ch...

13 hours ago by harryinthesoup on Coles ditches PINs in payment pilot

6.7 M last ditch attempt - interesting - The Auckland region (population 1.4 mil) has estimated to have spent less than this in total ...

16 hours ago by debsteele on Vic scraps HealthSMART system

Interesting - no mention of Win 98/ME/2000 ... which heralded Internet access for millions of users ? I thought Win 98/ME would be the mo...

18 hours ago by gouranga on Microsoft admits Vista was 'cheesy'

An Application like Good from Good Technologies does the same thing, working with the enterprise email server and is off the shelf.

18 hours ago by Helpdesk123 on Westpac board goes paperless with iPads

Never mind a "B+" version, go for "C" and put in a few extras. I'd like a high speed ADC (100Msps) but that's just me... Final size? Equ...

19 hours ago by sa_penguin on Raspberry Pi architect mulls design change

what a non-story. these thing happen all the time. is zdnet short on material?

20 hours ago by paulwrussell on Spotify launch suffers redirect bungle

4 months old phone died. Took 6 weeks, three visits to the authorised repairer (Fonebiz) to "fix it". 2nd hand untested parts used, I say...

20 hours ago by paracin on Sony Ericsson Xperia Arc S

It's easy to rubbish an old operating system long after the rest of the world has already passed judgement upon it. I would be far more i...

20 hours ago by ramnet on Microsoft admits Vista was 'cheesy'

If Vista is cheesy, Metro is an over-ripe Stilton.

21 hours ago by meski on Microsoft admits Vista was 'cheesy'

you are kidding right - what qualification do you have to make such wildy stupid statements - do you really have customers who pay you fo...

21 hours ago by rant rant rant on National Botnet Network coming: Earthwave

Exactly. There are two topics of discussion, that are co-mingled; 1) Unauthorized software was put on the company device, by an IT person...

1 day ago by lamont on ABC's Bitcoin miner tackled in minutes

First off, Bitcoin is not a virus. Second off, the only way to generate Bitcoins, is by using a Bitcoin miner. More information on this h...

1 day ago by rizowski on ABC's Bitcoin miner tackled in minutes

When an operating system is sold it should not launch until an approved security service is purchased online with a list of approved supp...

1 day ago by Kevin Cobley on National Botnet Network coming: Earthwave

Facebook Activity

Keep up with ZDNet Australia

LinkedinLinkedin Join our network

RSS FeedsRSS Feeds Subscribe now

NewslettersNewsletters Subscribe today

AlertAlertsSubscribe now

ZDNet Events Calendar

ZDNet Events Calendar

Plan Comparison

Prev Next
Loading...
Deals powered by WhistleOut

Sponsored resources