Disable your Safari AutoFill now!!!
A year old Safari exploit has been brought to light recently by Jeremiah Grossman that will allow hackers to steal all data in Safari’s AutoFill feature including Email, Name, Addresses, and even Credit Card data. The exploit has apparently been known for over a year and could easily be implemented into online ads and websites. 9to5mac also notes that IE 6 and 7 are also apparently susceptible.
“As shown in the proof-of-concept code (graciously hosted by Robert “RSnake” Hansen), the entire process takes mere seconds and represents a major breach in online privacy. This attack could be further leveraged in multistage attacks including email spam, (spear) phishing, stalking, and even blackmail if a user is de-anonymized while visiting objectionable online material.”
Grossman also notes that he has informed Apple of the issue:
“I figured Apple might appreciate a vulnerability disclosure prior to public discussion, which I did on June 17, 2010 complete with technical detail. A gleeful auto-response came shortly after, to which I replied asking if Apple was already aware of the issue. I received no response after that, human or robot. I have no idea when or if Apple plans to fix the issue, or even if they are aware, but thankfully Safari users only need to disable AutoFill web forms to protect themselves.”
You can read Jeremiah Grossman’s entire report on the exploit as well as a video demo of it in action here.