Posted on 07/23/2010 2:15:59 AM PDT by Leroy S. Mort
WhiteHat Security said Wednesday that it had found an issue in how Safari's AutoFill feature handles personal information, which could open up the personal information of a web surfer simply by visiting a malicious website.
Using a few lines of code, the hacker would be able to obtain the information without the user even knowing it occurred. The "Using info from my Address Book card" option would need to be checked in AutoFill preferences in order for the hack to work.
There is one positive: AutoFill does not work with fields starting with numbers, meaning street addresses and phone numbers would not be able to be accessed using publicly available code.
It is believed that the flaw resides within the WebKit engine that powers Safari. Grossman tried the exploit code on Google's Chrome browser which also uses the WebKit engine, but was unable to replicate the issue.
WhiteHat founder and CTO Jeremiah Grossman said in a blog post that he had attempted to contact Apple prior to disclosure of the vulnerability twice, but had received no response.
"I have no idea when or if Apple plans to fix the issue, or even if they are aware, but thankfully Safari users only need to disable AutoFill web forms to protect themselves," he mused.
While the flaw is not serious since it only seems to be able to steal a user's name, city, state, country, and e-mail, it still could open up the user to spam. Hackers could use additional techniques to phish further information on the victim if they so desired.
Autofill is dangerous on any browser. Aside from the various remote hacks that have happened over the years, any casual passer-by can strip things like credit card numbers and other personal data from your machine if left alone with it for a few minutes - if Autofill is on.
Next you're going to say that the App Store does not allow apps which do something other than what they purport to do!
HOW DARE YOU QUESTION THE INVINCIBILITY OF APPLE!
/sarc
Hater!
The headline is misleading. The flaw does not provide access to the “Mac OS X address book”, it can gain access to some of the information off of a single address book record (the user’s own), assuming the user has certain options enabled.
That’s kinda splitting hairs, isn’t it. How would you have written the headline for betanews?
No, I don't think it is splitting hairs. There's a huge difference between exposing a specific piece of data and allowing access to the entire address book. (Not to minimize the actual flaw, which does appear to be a problem in need of fixing.)
A more honest headline would likely have read something like:
That would be honest and still point to a significant issue.
Wonder if Steve Jobs' solution will be "Just start your name with a number"?
99Leroy
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.