Safari vulnerability could steal your data

A Safari vulnerability released today could easily steal your address book contacts through the autofill feature.

Blogger Jeremiah Grossman notified Apple privately one month ago, about a vulnerability in Safari's autofill feature that can steal your contacts names, where they work, live and even their email address.

The JavaScript powered code scans through your autofill information and takes your available information without any user interaction or prompts. Grossman posted a proof-of-concept code website that scans through your name, company, city, state, country and email, displaying all the information for you.

Although the code might seem harmless, the possibilities of the code could be hidden on a website, through an advertisement on another website, or through another means, stealing your information without you even knowing it. There is one flaw in the code however, it can't scan through numbers, meaning your phone number is safe.

Users should note that this only works on Safari 4.x and 5.0 and uses information taken from your Address Book located on your Mac, something users are required to fill out when they boot their machine for the first time. The code has some problems taking information from Safari's autofill feature running on Windows, but can still manage to obtain some of your information.

The good news? The vulnerability is easily blocked, simply by disabling Autofill under Preferences. Users should disable this autofill feature until Apple properly addresses and fixes the problem.

Safari_autofill

Report a problem with article
Previous Story

Microsoft reports strong Q4 revenue thanks again to Windows 7 sales

Next Story

Microsoft confirms launch partners for Windows Phone 7

53 Comments

Commenting is disabled on this article.

I have never used the address book on my mac, I keep everything on my phone. So, I guess the only person they will get is my address and Apple's.

But, to be honest, I love the auto-fill that safari has implemented, I don't know why, but it seems to work very well. (Then again, I haven't tried or used any alternate application for this before, so my comment is pretty biased)

Toorop said,
What I stick to: Chrome, Firefox, Opera, and sometimes Internet Explore. Thats the safest way.

I think actually, that, Opera might be most secure out of all of those.

Toorop said,
What I stick to: Chrome, Firefox, Opera, and sometimes Internet Explore. Thats the safest way.

Chrome IS webkit, like Safari, although is unaffected... apparently.

Never have and never will touch safari, FF and Opera for good but I know Apple wont admit the problem, pretty obvious for Steve jobs

GreyWolf said,
"You're X wrong" is tired and unrelated. Please stop.

Tired of people making fun of Apple?

There's an App for that! ("The Butthurt")

PeterTHX said,

Tired of people making fun of Apple?

There's an App for that! ("The Butthurt")

More like bored of reading the same thing over and over. Come on now, are we all in the kindergarden that we are unable to hold a conversation without repeating the same phrase time and time again? And before you put an 'Apple fan' sticker on me, I own only one Apple product that I'm considering replacing as soon as possible.

PeterTHX said,

Tired of people making fun of Apple?

There's an App for that! ("The Butthurt")

No, more like tired of seeing trollish memes in the news comments.

GreyWolf said,

No, more like tired of seeing trollish memes in the news comments.

As opposed to all the "Vista Sucks", "viruses" and "Blue screen" in the PC comments...
Or Apple commercials?

PeterTHX said,

As opposed to all the "Vista Sucks", "viruses" and "Blue screen" in the PC comments...
Or Apple commercials?


So two wrongs make a right in your world? Grow up.

ccuk said,
So two wrongs make a right in your world?

Or "Can dish it out but can't take it"

Besides, simple physics: a negative + a negative = a positve. :-)

PeterTHX said,

Or "Can dish it out but can't take it"

Besides, simple physics: a negative + a negative = a positve. :-)

FAIL (on two counts): simple MATHS: a negative + a negative = a bigger negative. A negative X a negative = a positive. Otherwise, I agree

phoenix198 said,

FAIL (on two counts): simple MATHS: a negative + a negative = a bigger negative. A negative X a negative = a positive. Otherwise, I agree

Buh! Math is hard! :-P
I realized later it but I was too late to edit.

bbfc_uk said,
I quite like using Safari, just wished it looked better on Windows.

No kidding, Safari is great . . . but on Windows it is sluggish.

efthlouk said,
Yeah.. Well okay, why can't you just disable the autofill feature?!

I've never liked using autofill. On every browser I've tried it on it doesn't seem to work very consistently.

astroX said,
hmmm .. Apple vulnerability

I know! Its not like Apple has any viruses on it. Apple users never have to worry about malicious people. I mean come on, a relatively new OS that has not had much time to mature surely cannot have security issues!

MSfanboy said,

I know! Its not like Apple has any viruses on it. Apple users never have to worry about malicious people. I mean come on, a relatively new OS that has not had much time to mature surely cannot have security issues!

OS X is based on BSD. It's quite mature. The browser is based on the Konquerer browser library which is also quite mature. Sometimes a bug is just a bug.

virtorio said,

http://en.wikipedia.org/wiki/NeXTSTEP - hardly a new operating system

Age and platform maturity are not the same thing.

One could actually argue that an OS using methods and designs that date back to the sixties is insane and far from ideal for modern hardware and poor for security.

This argument is why you find any *nix to be more of a patchwork instead of a cohesive model.

Edited by thenetavenger, Jul 23 2010, 6:55am :

GreyWolf said,

OS X is based on BSD. It's quite mature. The browser is based on the Konquerer browser library which is also quite mature. Sometimes a bug is just a bug.

I wish people would stop saying this, especially when they think it means something it doesn't.

OS X is not based on BSD. It has a BSD API, and that is different. It is more of a XNU based OS with quite a bit of monkeying and band-aids too overcome some of the XNU limitations. This is why it inherently performs poorly in multi core and SMP because of the threading changes apple made to get single cpu multitasking to work well originally.

BSD is just the kernel api interface, much like if you run unix services on windows it also offers a full bsd interface to the unix subsystem; however, windows is also not BSD nor even Is the unix subsystem considered to be bsd.

Also bsd doesn't mean the os is more secure or mature unless it is running open bsd code, which os x is not.

thenetavenger said,

Age and platform maturity are not the same thing.

One could actually argue that an OS using methods and designs that date back to the sixties is insane and far from ideal for modern hardware and poor for security.

This argument is why you find any *nix to be more of a patchwork instead of a cohesive model.


I didn't say it was made of sunshine and cookies, just stating that it isn't a new platform.

Unfortunately there aren't as many good options for browsing on a mac than on a pc. Chrome on mac sucks and generally speaking firefox has gone down the rabbit hole. Safari remains the best browser for a good experience under mac.

cloaked said,
Unfortunately there aren't as many good options for browsing on a mac than on a pc. Chrome on mac sucks and generally speaking firefox has gone down the rabbit hole. Safari remains the best browser for a good experience under mac.

Not on my iMac it isn't, and never will be.

very glad i read this..currently not using the browser..but thanks Andrew for bringing this to everyones attention..although Apple..like every company..needs to understand the importance of this..