According to Jeremiah Grossman, founder and Chief Technology Officer of WhiteHat Security, the AutoFill Web Forms feature can be hacked to steal data from the computer’s address book.
“Right at the moment a Safari user visits a website, even if they’ve never been there before or entered any personal information, a malicious website can uncover their first name, last name, work place, city, state, and email address,” Grossman explained in a blog post.
Grossman, a Web application security specialist, said the AutoFill feature (enabled by default on fully patched Safari) pulls data from the the the user’s personal record in the local operating system address book.
“It is important to emphasize this feature works even though a user never entered this data on any website. Also this behavior should not be confused with normal auto-complete data a Web browser may remember after its typed into a form,” Grossman added.
Grossman, who will discuss this weakness/attack scenario at this year’s Black Hat conference, said the entire process takes mere seconds and “represents a major breach in online privacy.”
This attack could be further leveraged in multistage attacks including email spam, (spear) phishing, stalking, and even blackmail if a user is de-anonymized while visiting objectionable online material.
Grossman said he reported the flaw to Apple twice but never got beyond an e-mail auto-response.