Safari AutoFill Exploits

July 22nd, 2010

Safari Autofill

Desktop Safari 4 & 5 has an AutoFill feature which has a default setting turned on for “Using info from my Address Book card”. You can access this setting from Safari>Preferences and click on the AutoFill tab. This AutoFill setting will autofill websites with data from your record in your Mac’s address book, which you might have entered your name, company, address and email address. The problem is this AutoFill feature will auto-complete a website even if you’ve never entered any data on the website before. This opens to exploits by malicious websites, as it is possible for website to obtain your address book data behind the scene without you knowing.

To illustrate the point, Jeremiah Grossman has even developed a proof of concept website where you can see it in action.

We recommend you to uncheck this setting from your Safari preferences for your own protection.

Via Jeremiah Grossman’s Blog

Categories: Mac
Tags: ,

Related posts:
Apple Released Safari 5.0.1 and Safari Extensions Gallery Apple released Safari 5.0.1 with the support of Safari Extensions....
14 Tips For Safari Browser on iPhone iPhone is the first phone with a full-blown browser. Some...
Apple Releases Safari 4 Beta for Mac OS X and Windows Apple on Tuesday released the first public beta for its...
How to share and display birthdays in Address Book with iCal Address Book on the Mac is a great app to...

One Comment

  1. Apple Released Safari 5.0.1 and Safari Extensions Gallery | Sanziro Says:
    July 29, 2010 at 6:50 am

    [...] the support of extensions, Safari 5.0.1 also plug the Autofill vulnerability which exposes your address book data. Bookmark on DeliciousDigg thisShare via MySpaceShare on [...]