Safari Privacy Bug May Be Leaking Your Data 152
richi writes "If you use Safari, your browser may be leaking your private information to any website you visit. Jeremiah Grossman, the CTO of WhiteHat Security, has discovered some Very Bad News. I have some analysis and other reactions over at my Computerworld blog. The potential for spam and phishing is huge. A determined attacker might even be able to steal previously-entered customer data." In short, autofill for Web forms is enabled by default in Safari 4 / 5 (and remotely exploitable), and the data that this feature has access to includes the user's local address book — even if the information has never been entered into a Web form.
Re:Only if you put the data there to begin with... (Score:2, Informative)
Even if you've never used the Address Book app this information could be in there. In the OS X first-launch setup dialog it asks for your real name, and that gets automatically inserted into the address book. I'd wager that most people who use Macs have done this, so their real names are accessible to any website using this technique.
Additionally, though this is less likely, if you fill out the registration form during setup I believe that information also goes into the address book, so there's your home address and email too.
Not the whole address book (Score:2, Informative)
and the data that this feature has access to includes the user's local address book
The only card that can be read is the "Me" card, not the whole address book.
Re:So..'many eyes make bugs shallow'? (Score:3, Informative)
Umm... WHAT? Sorry to burst your conceit bubble there, Sparky, but... "Many eyes make bugs shallow" does not apply to Safari, because Safari is not open source software.
Webkit (the open source rendering engine that Safari uses) is not vulnerable. Chrome and Chromium (also built on Webkit) are also not vulnerable.
Well, yes and no.
Jeremiah Grossman said...
@Anonymous, Tom: I believe this may be a WebKit issue and not just Safari. While it is difficult to confirm now, I suspect this technique did in fact affect Chrome. Had some discussions with Google a while back surrounding this topic and recall them finding/fixing something, but I don't really get all the details straight. Will have to find an older Chrome version somewhere to confirm...
@anonymous: this hack may have worked on Chrome at one time, but no longer. Trying to confirm, but difficult to get old OS X copies. :)
Re:"If you use Safari, (Score:4, Informative)
Yeah, because no one has an iPhone or iPad.
Naccio said...
@ Jeremiah Grossman: Does it work with iPad, iPhone or iPod browser?
July 22, 2010 11:56 AM Jeremiah Grossman said...
@naccio: no, it does not. Mobile Safari's behavior is different.
Re:So..'many eyes make bugs shallow'? (Score:2, Informative)
If you are going to shove words into my post, shove the words I was replying to into my post:
Could it be that the job is simply to complex for most non-professionals and that the open source model has reached the end of it's useful life?
Re:So..'many eyes make bugs shallow'? (Score:4, Informative)
If any respectable open source team member had seen Javascript events being passed to the keyboard buffer, he or she would have screamed blue bloody murder and it would have become a priority one bug faster than you can say "the developer who wrote that shit has just lost code submission privileges on this project".
Given that most Safari developers working for Apple are very respectable Open Source team members that contribute heavily to WebKit, I will have to say that your assertion is simply not true.
Re:So..'many eyes make bugs shallow'? (Score:3, Informative)
Really? Because there is discussion between developers (not just fanboys like yourself) about it existing and being fixed in chome because its likely a webkit issue, not Safari.
Of course, I don't know that for a fact because its too soon to tell, but that didn't stop you from spouting some ignorant bullshit so why should it stop me?
Its a bug in the javascript and dom code ... which ... guess where that code comes from ... Its not like Safari does it different than every other WebKit based browser.