Safari’s AutoFill reveals personal information
A feature of Apple’s Safari browser can be used by hackers to harvest personal information, says Jeremiah Grossman, founder and CTO of WhiteHat Security, in his recent blog post.
The feature in question is the AutoFill, and it automatically fills the text fields of forms in HTML pages with information such as name, address (city, state, country), company, email address, etc.
Unfortunately, this feature is enabled by default and pull this information from the local operating system address book – not from previously entered data that the browser “remembered” from when you entered it on a different website.
The only information that the feature – for some reason – doesn’t automatically fill is the data starting with a number (phone number, street addresses) – so, yes, it could be worse.
“Still, such attacks could be easily and cheaply distributed on a mass scale using an advertising network where likely no one would ever notice because it’s not exploit code designed to deliver rootkit payload,” says Grossman. “In fact, there is no guarantee this has not already taken place.”
He goes on to say that he contacted Apple with this information a little over a month ago, but has still received no reply from them other than an auto-response message. Until a fix is issued, he recommends to Safari users to disable the feature (Preferences > AutoFill > AutoFill web forms).