Serious Safari Security Flaw Found: A Bug Makes Vulnerable Your Personal Informations

Posted on by

If you are among the more than 80 million people who use Apple’s Safari browser to surf the web, you may want to change your settings stat.

At the moment, if you are a Safari user, who surfs the web visiting web pages and stuff, a malicious website can uncover your first name, last name, work place, city, state, and your email address. Even if you’ve never been there, or entered any personal information, before.


PhotoFiltre: Todd Klassy

This is possible using an exploit discovered in Safari’s AutoFill that allows malicious websites to extract a user’s first name, last name, work place, city, state, and email address. They don’t even need to fill out a form to trigger the bug: It can occur simply by their loading the site and takes place in just seconds. WhiteHat Security’s Jeremiah Grossman has described it in greater detail.

In Safari, AutoFill uses data from the users personal record in the local operating system address book. Again it is important to emphasize this feature works even though a user never entered this data on any website. Also this behavior should not be confused with normal auto-complete data a Web browser may remember after its typed into a form.

To better understand what we are talking about visit this website using Safari version 4 or 5 (the last): Safari AutoFill Exploit and press the “START” button.

In a few seconds the page shows you your first name, last name, work place, city, state, and your email address. Luckly this is only an harmless demo, but it works exactly how could works a malicios website. But in a malicious website your personal data may be transmitted to the operator of the site without you to do anything, and without you see anything. All this could happen in backgroud while you are surfing the Web.

In other words, with Safari you can steal the identity of a visitor without noticing. Goodbye anonymity. Imagine putting a trap on a website with objectionable content and thus steal the identities of visitors. The possibility of spamming and blackmail are easy to guess.

To read more about this in Jeremiah Grossman’s article: I know who your name, where you work, and live (Safari v4 & v5)

One thought on “Serious Safari Security Flaw Found: A Bug Makes Vulnerable Your Personal Informations

  1. Tested my sight on my Safari with autofill enabled and did not see it pull any personal info. Looks like Mac might of fixed issue already.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>