Fast Company

Major Flaw in Apple's Safari Browser Gives Hackers Access to Personal Information

Safari AutoFill preferences page

Apple may have a reputation as a security leader, but it's not entirely accurate. Its OS can be hacked like any other (at hacking conventions like Def Con, Mac OS has not proven significantly more secure than Windows), and now, blogger and white hat hacker (the good kind) Jeremiah Grossman has discovered a major flaw in Apple's Safari browser.

The flaw originates from Safari's unusual auto-fill system. In most browsers, when you fill in an address, phone number, name, or other common bit of personal information, the browser offers the option to save that for future reference. The key there is that you have to actually enter the information at least once to be offered that option.

But Safari actually uses information from the user's Address Book app on his or her computer, meaning the user might never have entered that information, but Safari can still pop it into the requisite spot. Apple probably sees this as a convenient shortcut--the information's already in the computer, why enter it again?--but it also opens Safari up to hacking. Says Grossman:

All a malicious website would have to do to surreptitiously extract Address Book card data from Safari is dynamically create form text fields with the aforementioned names, probably invisibly, and then simulate A-Z keystroke events using JavaScript. When data is populated, that is AutoFill’ed, it can be accessed and sent to the attacker.

Apple responded that the company is "aware of the issue and working on a fix," though it declined to expand on when that fix might arrive. Hopefully that's very soon--this is a worrisome flaw, and there's no easy way for users to protect themselves.

Dan Nosowitz, the author of this post, can be followed on Twitter, corresponded with via email, and stalked in San Francisco (no link for that one--you'll have to do the legwork yourself).

Add New Comment

4 Comments

  • NotTellingYou

    Humm...is it me or is this too WAY overblown like antennagate?

    Let's look:

    "autofills HTML form text fields with specific attribute names such as "name," "company," "city," and "state."

    Isn't this the kind of information we post to any number of blogs, news sites, LinkedIn, and Facebook BY DEFAULT? I mean if someone wanted this information it's out there MANY places for the taking?

    "However, the Autofill attack can't obtain data beginning with a number, such as phone numbers or street addresses"

    So wouldn't it be easier, and more productive and effective, to just go by any number of complete marketing mailing lists that do include the names, numbers, and complete addresses of millions of people?

    "This feature just makes it easier for criminals to do mass collections of information that they can later sell, and compromise your identity," said Rob Enderle, principal analyst at the Enderle Group."

    Rob, if that was true, and we could all have our identities compromised by allowing "text fields with specific attribute names such as "name," "company," "city," and "state" wouldn't the same be true with one of the plethora of marketing mailing lists out there and spam email lists? I guess I'm not sure how grabbing this information from Safari would do that when there are, and there have been, other ways to gain this data that are completely legal, for decades that exist?

    Anyway, all in all I'm not happy someone can grab my name city and state, but frankly you can also grab that from any number places and if you want to know that an more you can get any number of lists without me knowing about it anyway! All you need to do is check out my mailbox at Christmas time and see all the junk mail to realize that!

    Oh well...carry on!

  • Joel Newman

    Wouldn't the easy way for users to protect themselves be to uncheck that box shown in the picture?

  • NotTellingYou

    From Apple's Safari 101 page:
    "To enable AutoFill, choose Preferences from the Safari menu, click the AutoFill button, and select the "Using info from my Address Book card" checkbox. To make sure that your card is up to date, click the Edit button to open Address Book."