The web's full of vulnerabilities, but this exploit, which allows code to quietly yank your Mac's Address Book with Safari's AutoFill, seems bad enough that you should probably take a few seconds to disable AutoFill, just to be safe.

9to5Mac is bringing attention to the exploit, which was exposed and covered in detail by Jeremiah Grossman:

These fields are AutoFill'ed using data from the users personal record in the local operating system address book. Again it is important to emphasize this feature works even though a user never entered this data on any website. Also this behavior should not be confused with normal auto-complete data a Web browser may remember after its typed into a form.

All a malicious website would have to do to surreptitiously extract Address Book card data from Safari is dynamically create form text fields with the aforementioned names, probably invisibly, and then simulate A-Z keystroke events using JavaScript. When data is populated, that is AutoFill'ed, it can be accessed and sent to the attacker.

As shown in the proof-of-concept code (graciously hosted by Robert "RSnake" Hansen), the entire process takes mere seconds and represents a major breach in online privacy. This attack could be further leveraged in multistage attacks including email spam, (spear) phishing, stalking, and even blackmail if a user is de-anonymized while visiting objectionable online material.


Grossman told Apple about the issue over a month ago but hasn't heard back yet, so yeah, probably a good idea for Safari users to go to Preferences and uncheck all AutoFill until this is addressed. [Jeremiah Grossman via 9to5Mac]