A prominent security researcher is urging users of Apple’s Safari browser to immediately turn off the AutoFill feature to block hackers from stealing sensitive information.

According to Jeremiah Grossman, founder and Chief Technology Officer of WhiteHat Security, the AutoFill Web Forms feature can be hacked to steal data from the computer’s address book.

“Right at the moment a Safari user visits a website, even if they’ve never been there before or entered any personal information, a malicious website can uncover their first name, last name, work place, city, state, and email address,” Grossman explained in a blog post.

Grossman, a Web application security specialist, said the AutoFill feature (enabled by default on fully patched Safari) pulls data from the the the user’s personal record in the local operating system address book.

All a malicious website would have to do to surreptitiously extract Address Book card data from Safari is dynamically create form text fields with the aforementioned names, probably invisibly, and then simulate A-Z keystroke events using JavaScript. When data is populated, that is AutoFill’ed, it can be accessed and sent to the attacker.

“It is important to emphasize this feature works even though a user never entered this data on any website. Also this behavior should not be confused with normal auto-complete data a Web browser may remember after its typed into a form,” Grossman added.


Grossman, who will discuss this weakness/attack scenario at this year’s Black Hat conference, said the entire process takes mere seconds and “represents a major breach in online privacy.”

This attack could be further leveraged in multistage attacks including email spam, (spear) phishing, stalking, and even blackmail if a user is de-anonymized while visiting objectionable online material.

Grossman said he reported the flaw to Apple twice but never got beyond an e-mail auto-response.

Categories: Vulnerabilities, Web Security