Apple may have a reputation as a security leader, but it’s not entirely accurate. Its OS can be hacked like any other (at hacking conventions like Def Con, Mac OS has not proven significantly more secure than Windows), and now, blogger and white hat hacker (the good kind) Jeremiah Grossman has discovered a major flaw in Apple’s Safari browser.
The flaw originates from Safari’s unusual auto-fill system. In most browsers, when you fill in an address, phone number, name, or other common bit of personal information, the browser offers the option to save that for future reference. The key there is that you have to actually enter the information at least once to be offered that option.
But Safari actually uses information from the user’s Address Book app on his or her computer, meaning the user might never have entered that information, but Safari can still pop it into the requisite spot. Apple probably sees this as a convenient shortcut–the information’s already in the computer, why enter it again?–but it also opens Safari up to hacking. Says Grossman:
Apple responded that the company is “aware of the issue and working on a fix,” though it declined to expand on when that fix might arrive. Hopefully that’s very soon–this is a worrisome flaw, and there’s no easy way for users to protect themselves.