The AutoFill feature in Apple’s Safari browser could be abused by attackers to steal user information, according to findings from a security researcher.
Jeremiah Grossman, CTO of WhiteHat Security, noted that in Safari version 4 or 5, the AutoFill feature fills in information such as e-mail addresses and names by default whenever it recognizes a form. The data is pulled from Safari’s local operating system address book, and the process occurs whether a person has entered the data on any Website before or not.
“All a malicious Website would have to do to surreptitiously extract Address Book card data from Safari is dynamically create form text fields with the aforementioned names, probably invisibly, and then simulate A-Z keystroke events using JavaScript,” Grossman wrote. “When data is populated, that is AutoFill’ed, it can be accessed and sent to the attacker.”
This should not be confused with the normal auto-complete data a Website may remember after data is typed into a form, he added.
Citing proof-of-concept code from security researcher and SecTheory CEO Robert “RSnake” Hansen, Grossman called the process is a “major breach in online privacy” and wrote that the issue could be leveraged in multistage attacks including e-mail spam and spear phishing.
“Fortunately, any AutoFill data starting with a number, such as phone numbers or street addresses, could not be obtained because for some reason the data would not populate in the text field,” he noted. “Still, such attacks could be easily and cheaply distributed on a mass scale using an advertising network where likely no one would ever notice because it’s not exploit code designed to deliver rootkit payload. In fact, there is no guarantee this has not already taken place.”
Grossman said he disclosed the issue to Apple June 17, but only received an automated response in return. Safari users concerned about the issue can disable AutoFill Web forms to prevent the situation.