Safari autofill exploit can reveal user data

The autofill option in the Apple browser, and possibly in Google Chrome, can expose personal data without a user's consent, says a security researcher. But is the exploit new?

(Credit: Apple)

The autofill option in Apple's Safari browser can expose personal data without the user's consent, a security researcher reported on Wednesday. It remains unclear as to whether the problem affects Safari specifically or all WebKit-based browsers, which include Google Chrome. It's recommended that Safari and Chrome users disable the autofill feature immediately, until further notice.

Jeremiah Grossman, the chief technical officer of WhiteHat Security, documented the exploit in a blog post on Wednesday, saying that it affects both the current version of Safari, version 5, and the legacy version, Safari 4. He said that the exploit is severe enough that a malicious Web site can access autofill information from Safari without the user entering in any personal information on the site, or even if the user had never visited the site previously.

A malicious Web site would only have to create dynamic form text fields with appropriate names, such as "address" or "credit card," and simulate A-Z keystrokes using JavaScript, and then the data would be filled in automatically, Grossman said in the blog post. This would work, he said, even if the text fields were hidden from the visitor's view. He also added that he notified Apple of the security breach on June 17 in accordance with accepted "best behavior" practices for security researchers, but received only an automatic response.

But it looks like the exploit may not be new. In a blog post from April 2009, Swiss security researcher Patrice Neff uncovered a strikingly similar exploit, which went unnoticed by many people, where Safari would submit a birthday without the user's consent. Neff was able to write a script that could harvest that information from Safari browsers. It's not clear at this point whether the exploits are identical, or just have similar-looking outcomes.

Regardless, the exploit highlights the risk in using automatic data-filling technology without stronger security controls. Users can disable autofill in Safari by going to Preferences, AutoFill, and AutoFill Web forms. In Chrome, go to the "wrench" menu, choose Options, Personal Stuff, and click the AutoFill button. The exploit does not appear at this time to affect the mobile Safari on iOS, or the WebKit-based browser on Android.

Apple's official statement on the autofill vulnerability did not address specifics. "We take security and privacy very seriously. We're aware of the issue and working on a fix," said an Apple representative.

Google did not comment but did confirm that this autofill exploit is not a vulnerability in Chrome because the browser requires a user confirmation to populate text fields that can't be mimicked by JavaScript.

Updated 2:50 p.m. PDT: Comment from Apple has been added.

Updated 3:45 p.m. PDT: Confirmation from Google has been added.

CNET Top 5
Companies Apple could buy with their billions
Apple's sitting on a massive pile of cash. Here are five interesting ways they could spend it.
Play Video
 

Member Comments