Turn Off Your Safari AutoFill, a Nasty Exploit Could Steal Your Address Book [Exploits]

The net\’s packed with vulnerabilities, but this exploit, which allows code to quietly yank your Mac\’s Address Book with Safari\’s AutoFill, seems bad enough for you to probably take a couple of seconds to disable AutoFill, to only be safe.

9to5Mac is bringing attention to the exploit, which was exposed and covered in detail by Jeremiah Grossman:

These fields are AutoFill\’ed using data from the users personal record within the local operating system address book. Again it is very important emphasize this option works even if a user never entered this information on any website. Also this behavior are usually not be confused with normal auto-complete data an internet browser may remember after its typed into a kind.

All a malicious website would ought to do to surreptitiously extract Address Book card data from Safari is dynamically create form text fields with the aforementioned names, probably invisibly, and then simulate A-Z keystroke events using JavaScript. When data is populated, which is AutoFill\’ed, it could be accessed and sent to the attacker.

As shown within the proof-of-concept code (graciously hosted by Robert \” RSnake\” Hansen), the whole process takes mere seconds and represents a chief breach in online privacy. This attack would be further leveraged in multistage attacks including email spam, (spear) phishing, stalking, and even blackmail if a user is de-anonymized while visiting objectionable online material.

Grossman told Apple in regards to the issue over a month ago but hasn\’t heard back yet, so yeah, probably a good option for Safari users to move to Preferences and uncheck all AutoFill until that is addressed. [Jeremiah Grossman via 9to5Mac]

Source

This post is tagged: address, AutoFill, book, exploit, Nasty, OFF, safari, steal, [Exploits]