Home > Exploits, OS X > 0day: Apple Safari AutoFill

0day: Apple Safari AutoFill

Description

Jeremiah Grossman has discovered a weakness in Apple Safari, which can be exploited by malicious people to disclose potentially sensitive information.

The weakness is caused due to the AutoFill feature being enabled to use information from the personal address book card by default. This can be exploited to secretly disclose personal information from the personal address book card when a user visits a specially crafted web page.

The weakness is confirmed in Safari version 5.0. Other versions may also be affected.

Impact :  Exposure of sensitive information

Reference : Secunia Advisory SA40664

Solution
Disable the AutoFill feature for address book card information.

How? Show Safari preferences (press Command-comma or ⌘,) and uncheck the autofill web form.

Further reading:

http://jeremiahgrossman.blogspot.com/2010/07/i-know-who-your-name-where-you-work-and.html

PoC : http://ha.ckers.org/weird/safari_autofill.html

Personal information exposed?   It depends on the data, here’s my browser result.

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: