Safari is the web browser from the giants Apple. It’s really unfortunate that this comes from them but it’s the real fact.
Auto fills functionality and Vulnerability-
Auto fills means a technique by which website stores your personal details and many more in them so that next time when you fill this automatically fills the field which makes us more easy and make us more lazy J.The fact remains that lot of us use this and when threat strikes here it’s really dangerous.
A feature of Apple’s Safari browser can be used by hackers to harvest personal information, says Jeremiah Grossman, founder and CTO of WhiteHat Security.
Unfortunately, this feature is enabled by default and pulls this information from the local operating system address book – not from previously entered data that the browser “remembered” from when you entered it on a different website.
“All a malicious website would have to do to surreptitiously extract Address Book card data from Safari is dynamically create form text fields with the aforementioned names, probably invisibly, and then simulate A-Z keystroke events using JavaScript,” says Grossman. “When data is populated, that is AutoFill’ed, it can be accessed and sent to the attacker.”
The only information that the feature – for some reason – doesn’t automatically fill is the data starting with a number (phone number, street addresses) – so, yes, it could be worse.
“Still, such attacks could be easily and cheaply distributed on a mass scale using an advertising network where likely no one would ever notice because it’s not exploit code designed to deliver rootkit payload,” says Grossman. “In fact, there is no guarantee this has not already taken place.”
He goes on to say that he contacted Apple with this information a little over a month ago, but has still received no reply from them other than an auto-response message. Until a fix is issued, he recommends to Safari users to disable the feature (Preferences > AutoFill > AutoFill web forms).
Related posts:
