Safari AutoFill Exploits

![Safari Autofill](

Desktop Safari 4 & 5 has an AutoFill feature which has a default setting turned on for “Using info from my Address Book card”. You can access this setting from Safari>Preferences and click on the AutoFill tab. This AutoFill setting will autofill websites with data from your record in your Mac’s address book, which you might have entered your name, company, address and email address. The problem is this AutoFill feature will auto-complete a website even if you’ve never entered any data on the website before. This opens to exploits by malicious websites, as it is possible for website to obtain your address book data behind the scene without you knowing.

To illustrate the point, Jeremiah Grossman has even developed a [proof of concept website]( where you can see it in action.

We recommend you to uncheck this setting from your Safari preferences for your own protection.

Via [Jeremiah Grossman’s Blog](

One thought on “Safari AutoFill Exploits”

Comments are closed.