Safari Privacy Bug May Be Leaking Your Data

richi writes "If you use Safari, your browser may be leaking your private information to any website you visit. Jeremiah Grossman, the CTO of WhiteHat Security, has discovered some Very Bad News. I have some analysis and other reactions over at my Computerworld blog. The potential for spam and phishing is huge. A determined attacker might even be able to steal previously-entered customer data." In short, autofill for Web forms is enabled by default in Safari 4 / 5 (and remotely exploitable), and the data that this feature has access to includes the user's local address book — even if the information has never been entered into a Web form.

So..'many eyes make bugs shallow'?

[RLiegh]

If that old canard is so true, than I have to wonder why it is that their are so many security-related issues with F/OSS browsers that go unchecked for so long? While IE was justifibly a laughing stock nowadays webkit and firefox are barely much better -despite the 'many eyes' theory.

Could it be that the job is simply to complex for most non-professionals and that the open source model has reached the end of it's useful life?

Re:So..'many eyes make bugs shallow'?

[Anonymous Coward]

Isn't this a bug in Safari, not Webkit? As such, it's Apple's responsibility, not the F/OSS community's.

Re:So..'many eyes make bugs shallow'?

[PopeRatzo]

I'm not buying your assertion that open source developers are more attentive or more dedicated than non-open source developers. What is the rationale for that?

It could be because between open source and non-open source developers, only one group has a boss to hate.

Freedom to do the best job you can and the sheer desire to create a product that's good enough that you would use is a very strong motivating factor.

I'm not saying this is necessarily the "rationale" you asked for, but maybe. Maybe the open source developers didn't have to waste their time going to "team building" workshops, or Monday breakfast meetings or have to keep their mouth shut while their boss screws something up or takes credit for the developers' work.

Not that open source shops are utopias, but I think it's possible that they are more dedicated than their colleagues at Microsoft or Apple.

There are certainly places it shines, but this is not one of them.

Wait a minute now. We're talking about four browsers. The ones from Apple and Microsoft have security vulnerabilities and the ones from Google and Mozilla do not. Is it just coincidence?

Yes, Firefox AND Chrome are affected

[pastafazou]

"Internet Explorer, Firefox, Chrome, and Safari browsers are susceptible to attacks that allow webmasters to glean highly sensitive information about the people visiting their sites, including their full names, email addresses, location, and even stored passwords, a security researcher says."
although the exploits are different for each browser. Read more here [theregister.co.uk]

Re:what the user sees should be hidden from progra

[infolation]

It certainly is possible to override CTRL-ALT-DELETE.

Even something as basic as an Adobe 'Macromedia' Director projector can trap it using something like Meliorasoft's Keyboard Control Xtra" [meliorasoft.com]