A feature in Apple’s Safari browser designed to make it easier to fill out forms could be abused by hackers to harvest personal information, according to a security researcher.
Safari’s AutoFill feature is enabled by default and will fill in information such as first and last name, work place, city, state, and e-mail address when it recognizes a form, wrote Jeremiah Grossman, CTO for WhiteHat Security, on his blog.
The information comes from Safari’s local operating system address book.
The feature dumps the data into the form even if a person has entered no data on a particular Web site, which opens up an opportunity for a hacker.
“All a malicious website would have to do to surreptitiously extract Address Book card data from Safari is dynamically create form text fields with the aforementioned names, probably invisibly, and then simulate A-Z keystroke events using JavaScript,” Grossman wrote. “When data is populated, that is AutoFill’ed, it can be accessed and sent to the attacker.’
via Researcher finds Safari reveals personal information – Computerworld.
