Major Flaw in Apple’s Safari Browser Gives Hackers Access to Personal Information

Safari AutoFill preferences page


Apple may have a reputation as a security leader, but it’s not entirely accurate. Its OS can be hacked like any other (at hacking conventions like Def Con, Mac OS has not proven significantly more secure than Windows), and now, blogger and white hat hacker (the good kind) Jeremiah Grossman has discovered a major flaw in Apple’s Safari browser.

The flaw originates from Safari’s unusual auto-fill system. In most browsers, when you fill in an address, phone number, name, or other common bit of personal information, the browser offers the option to save that for future reference. The key there is that you have to actually enter the information at least once to be offered that option.

But Safari actually uses information from the user’s Address Book app on his or her computer, meaning the user might never have entered that information, but Safari can still pop it into the requisite spot. Apple probably sees this as a convenient shortcut–the information’s already in the computer, why enter it again?–but it also opens Safari up to hacking. Says Grossman:

All a malicious website would have to do to surreptitiously extract Address Book card data from Safari is dynamically create form text fields with the aforementioned names, probably invisibly, and then simulate A-Z keystroke events using JavaScript. When data is populated, that is AutoFill’ed, it can be accessed and sent to the attacker.

Apple responded that the company is “aware of the issue and working on a fix,” though it declined to expand on when that fix might arrive. Hopefully that’s very soon–this is a worrisome flaw, and there’s no easy way for users to protect themselves.

Dan Nosowitz, the author of this post, can be followed on Twitter, corresponded with via email, and stalked in San Francisco (no link for that one–you’ll have to do the legwork yourself).

About the author

Dan Nosowitz is a freelance writer and editor who has written for Popular Science, The Awl, Gizmodo, Fast Company, BuzzFeed, and elsewhere. He holds an undergraduate degree from McGill University and currently lives in Brooklyn, because he has a beard and glasses and that's the law.