The autofill option in Apple's Safari browser can expose personal data without the user's consent, a security researcher reported on Wednesday. It remains unclear as to whether the problem affects Safari specifically or all WebKit-based browsers, which include Google Chrome. It's recommended that Safari and Chrome users disable the autofill feature immediately, until further notice.
Jeremiah Grossman, the chief technical officer of WhiteHat Security, documented the exploit in a blog post on Wednesday, saying that it affects both the current version of Safari, version 5, and the legacy version, Safari 4. He said that the exploit is severe enough that a malicious Web site can access autofill information from Safari without the user entering in any personal information on the site, or even if the user had never visited the site previously.
But it looks like the exploit may not be new. In a blog post from April 2009, Swiss security researcher Patrice Neff uncovered a strikingly similar exploit, which went unnoticed by many people, where Safari would submit a birthday without the user's consent. Neff was able to write a script that could harvest that information from Safari browsers. It's not clear at this point whether the exploits are identical, or just have similar-looking outcomes.
Regardless, the exploit highlights the risk in using automatic data-filling technology without stronger security controls. Users can disable autofill in Safari by going to Preferences, AutoFill, and AutoFill Web forms. In Chrome, go to the "wrench" menu, choose Options, Personal Stuff, and click the AutoFill button. The exploit does not appear at this time to affect the mobile Safari on iOS, or the WebKit-based browser on Android.
Apple's official statement on the autofill vulnerability did not address specifics. "We take security and privacy very seriously. We're aware of the issue and working on a fix," said an Apple representative.
Updated 2:50 p.m. PDT: Comment from Apple has been added.
Updated 3:45 p.m. PDT: Confirmation from Google has been added.