Hacking Safari’s auto-complete feature
July 26, 2010
The recently released update to Safari (version 5.0.1) seems to fix the security issue described below.
Jeremiah Grossman points out a serious security issue that he recently found in Safari.
You probably know about Safari’s autocompletion feature that makes filling in web forms a piece of cake by mapping the input names to their corresponding entries in your Address Book card.
There is a proof of concept code so you can see this yourself.
I’m afraid at the time of writing this blog entry I can confirm that this security hole still exists in the latest official version of Safari (Version 5.0, 6533.16), however it seems like this issue has been addressed and fixed in the latest nightly build of WebKit (Version 5.0, 6533.16, r63958). You might be asking yourself if this issue affects Google’s Chrome that happens to be using Apple’s WebKit under the hood, but it didn’t expose personal data while running the tests. Mobile Safari is also unaffected because its behaviour is different.
The issue can be addressed manually by disabling this functionality in Safari’s preferences under the AutoFill tab.
This issue affects Safari version 4 and 5, with about 4% of combined market share (~83 million internet users) and has already been reported to Apple.
We are hoping that they are going to release a new official version very soon that contains a fix. Given the relatively aggressive automatic system update feature built into OS X, the patch should spread across most users’ computers. Apple recently released an update to Safari (version 5.0.1) that has fixed the security issue.