Safari Privacy Bug May Be Leaking Your Data 152
richi writes "If you use Safari, your browser may be leaking your private information to any website you visit. Jeremiah Grossman, the CTO of WhiteHat Security, has discovered some Very Bad News. I have some analysis and other reactions over at my Computerworld blog. The potential for spam and phishing is huge. A determined attacker might even be able to steal previously-entered customer data." In short, autofill for Web forms is enabled by default in Safari 4 / 5 (and remotely exploitable), and the data that this feature has access to includes the user's local address book — even if the information has never been entered into a Web form.
But not Firefox... (Score:5, Insightful)
It seems that the bug is due to Safari allowing keyboard events to be generated from Javascript, so a malicious script can pretend to interact as if it were the user, whereas Firefox doesn't get fooled.
--
The Founder Conference [thefounderconference.com] is coming August 17
what the user sees should be hidden from programs (Score:3, Insightful)
This reminds me of Windows. It's impossible to override certain key combinations like CTRL+ALT+DELETE.
It's kind of obvious: you don't let a program ever, imitate the user in the same context. Web browsers should never have been able to create windows 'outside' of the rendering area to boot (unless full screen)... browsers should never have been able to 'see' what the user sees in regard to links...Internet explorer showing contents of C:\...and so on...
Re: (Score:2)
This reminds me of Windows. It's impossible to override certain key combinations like CTRL+ALT+DELETE.
Is this true?
Odd coincidence, but last nioght I got a Windows
Re: (Score:1)
Odd coincidence, but last nioght I got a Windows
Did it hurt?
Re: (Score:2)
Re: (Score:2)
I've never understood the Ctrl-Alt-Del thing on the windows login. Yeah if it comes up and asks for you to hit Ctrl-Alt-Del, you can be certain its the real login screen. But really, how many users are going to get a login screen and notice that it didn't ask for Ctrl-Alt-Del and then call up tech support? 99.9% of people will just enter their username and password and not take any notice.
Re: (Score:2)
And why should fullscreen get a pass?
Re: (Score:2)
Only if the user invoked the fullscreenedness should it be permitted. I think in that way it would very difficult for software to 'fake' your desktop.
Re: (Score:2)
Then why mention fullscreenedness at all? That's a red herring. Do this instead:
Web browsers should never have been able to create windows 'outside' of the rendering area to boot (unless user-invoked)
Same applies to popups, no?
Re: (Score:2)
By allowing popups to appear outside the page rendering area, i.e, the bit below your tab bar and browser GUI and with small borders, it gives websites free reign and ability to create realistic popup windows that imitate software of your system, so people get suckered into installing legitimate looking spyware.
I am sure there are ways to 'overlay' ontop of a fullscreen application to make it clear that it is in actual fact, a web page. Even a small bar notification saying: 'Activated full screen mode. [Ok]
Re: (Score:2)
By allowing popups to appear outside the page rendering area, i.e, the bit below your tab bar and browser GUI and with small borders, it gives websites free reign and ability to create realistic popup windows that imitate software of your system, so people get suckered into installing legitimate looking spyware.
Yes, I understand -- though there are things about those which make it obvious that they're browser-generated. But again, user-initiated is the key here. Current popup blockers do a good job, I think -- Chrome blocks popups, but makes it clear when a website has requested a popup and how to enable it.
A healthy amount of skepticism would also help. For example, if a website looks local, and is asking me for my bank details or twitter account, I'm going to wonder what kind of local spyware I have installed.
I am sure there are ways to 'overlay' ontop of a fullscreen application to make it clear that it is in actual fact, a web page. Even a small bar notification saying: 'Activated full screen mode. [Ok] [Exit fullscreen]
A
Re: (Score:2)
That's exactly the kind of notification I like. Either that or something similar but hopefully less annoying like the yellow bar in IE or Firefox nowadays.
When popups could set the positioning on your screen, that's a bad thing.
Re:what the user sees should be hidden from progra (Score:3, Interesting)
Even something as basic as an Adobe 'Macromedia' Director projector can trap it using something like Meliorasoft's Keyboard Control Xtra" [meliorasoft.com]
Re: (Score:2)
You're right but I just looked at the manual for that software: you need Administrator privileges to run that director plugin. After which you can run with normal privileges, in which case, if you're admin to begin with, you can do anything anyway, you don't need to use sneaky tactics like peeking at what the user sees or pretending to be the user.
The horse has bolted so to speak.
Re: (Score:2)
Andy why do you need admin privileges? To install a kernel-mode driver! Even the admin users cannot directly trap CTRL-ALT-DELETE and the right to install new services/Drivers can be restricted even for administrator accounts (but in practice never is).
Bad Headline (Score:4, Insightful)
Would that have been before or after Eric Schmidt resigned Apple's board and they became sworn enemies? He didn't get mad because Steve started stalking him, did he?
Oh well, I'll hit submit in Safari now...
Re: (Score:2, Funny)
No need to hit Submit-- I've already got it.
Yes, Firefox AND Chrome are affected (Score:3, Interesting)
although the exploits are different for each browser. Read more here [theregister.co.uk]
So..'many eyes make bugs shallow'? (Score:1, Interesting)
If that old canard is so true, than I have to wonder why it is that their are so many security-related issues with F/OSS browsers that go unchecked for so long? While IE was justifibly a laughing stock nowadays webkit and firefox are barely much better -despite the 'many eyes' theory.
Could it be that the job is simply to complex for most non-professionals and that the open source model has reached the end of it's useful life?
Re:So..'many eyes make bugs shallow'? (Score:5, Insightful)
Re:So..'many eyes make bugs shallow'? (Score:4, Insightful)
Actually, this is a perfect example of it.
The vulnerability is in closed-source software, because Safari is closed-source. The vulnerability does not exist in Webkit (the open source component of Safari), so no one but Apple can fix this issue.
The issue was discovered almost by accident. Safari allows Javascript to emulate keypresses (which is almost inconceivably stupid).
If any respectable open source team member had seen Javascript events being passed to the keyboard buffer, he or she would have screamed blue bloody murder and it would have become a priority one bug faster than you can say "the developer who wrote that shit has just lost code submission privileges on this project".
Re:So..'many eyes make bugs shallow'? (Score:5, Insightful)
If any respectable open source team member had seen Javascript events being passed to the keyboard buffer, he or she would have screamed blue bloody murder and it would have become a priority one bug faster than you can say "the developer who wrote that shit has just lost code submission privileges on this project".
I'm not buying your assertion that open source developers are more attentive or more dedicated than non-open source developers. What is the rationale for that?
Other than defining the QA process to be whatever you want and being your own QA team, what advantages does a project being open source confer in this regard? Some outsider can swoop in and patch your critical security vulnerabilities for you, with tests, and no new bugs? Your users can fix bugs on their own, maintaining private one-off branches?
Not to dig on open source or anything, but I think it's usefulness is being pushed a BIT too far sometimes. There are certainly places it shines, but this is not one of them.
Re: (Score:2, Insightful)
Re: (Score:2)
the Q/A being in the open anyone can go file and read through the bug reports, and if anyone actually didn't assign such a bug as priority one, then the whole project would be ridiculed, probably here and in many other places.
Some very large companies have customer accessible bug reporting systems for non open source software, and if a known bug isn't available to the public you can call support and they'll find it for you. Sun/EMC/Oracle do this, and I'm sure many others. Free self service bug report access is a nice feature of free software, but I think I was talking about open source.
That said, there is no guarantee the bug reports are open to the public for all open source projects anyway, if they even have such a process
Re:So..'many eyes make bugs shallow'? (Score:4, Insightful)
I'm not buying your assertion that open source developers are more attentive or more dedicated than non-open source developers.
It may even go the other way, it may foster complacency. A programmer working on an open source project may be more likely to assume that someone else has already looked at the code and therefore that they don't need to do it themselves. In an organization there would be someone who's specific job is to audit everything, but if that's left as a community task with no one person taking responsibility for it then it might breed complacent developers.
Obviously this is pure speculation.
Re: (Score:3, Interesting)
It could be because between open source and non-open source developers, only one group has a boss to hate.
Freedom to do the best job you can and the sheer desire to create a product that's good enough that you would use is a very strong motivating factor.
I'm not saying this is necessarily the "rationale" you asked for, but maybe. Maybe the open sourc
Re:So..'many eyes make bugs shallow'? (Score:4, Insightful)
I'm sorry, have you actually USED any OSS software?
Yes, thats true for a few things, but the 'quality' and 'movtivation' of OSS devs is just as shitty as closed source devs. For ever good OSS project there are roughly 1000 shitty ones, and the same is true for closed source software.
The people who write open source software are VERY OFTEN the EXACT SAME ONES writing closed source software. Most of the time its because one is so they can eat and the other is so they can relax and enjoy themselves.
So instead of having real motivation like 'fix the fucking bugs or your fired and don't get paid' or we have OSS motivation 'I'll feel special if I fix a bug!' ... And you think thats going to make OSS safer? Let me tell you how developers work. They write some code that they are proud off and think is bug free, and then ... someone finds and exploits thier pretty code because only about 1 out of 10,000 even care about finding bugs rather than pushing out new features, and only one in 10k of those actually have the skills to examine code and applications to find bugs, even fewer still have the ability to figure out ways around security mechanisms.
Wait, what? Are you blind or just born yesterday and don't have any clue wtf you're talking about? Let me quote what the person who found the bug said on the page linked since no one bothers to read it ...
DOM event model (Score:4, Insightful)
The standard event model allows javascript to trigger events such as keystrokes.
Its easy to see why a browser obsessed with speed would just forward the API call to the internal event model. I can totally see the appeal and instinctive reaction to a situation like this; its clean, fast and simple coding - security is not often a big goal when you are initially just trying to get something working; even so, this could get missed by multiple eyes... Plus this is not part of webkit - its bridging the engine to the GUI; which is an unusual situation compared to the bulk of code - all the hard work is in the engine this just ties that to a GUI, quite likely there is a separation between working groups - obviously there is one since the engine is open source and the GUI is not. Their job is to bridge and probably do not get the level of attention as other aspects of the program.
I'm not letting them off the hook, this should have be caught within 1 version or during a security audit if there was one... and if there was:
1) was the attention given to the engine only?
2) do these people work on the code so they get tied up fixing bugs instead of just logging all the ones they uncover? (a lack of specialization)
Re:So..'many eyes make bugs shallow'? (Score:4, Informative)
If any respectable open source team member had seen Javascript events being passed to the keyboard buffer, he or she would have screamed blue bloody murder and it would have become a priority one bug faster than you can say "the developer who wrote that shit has just lost code submission privileges on this project".
Given that most Safari developers working for Apple are very respectable Open Source team members that contribute heavily to WebKit, I will have to say that your assertion is simply not true.
Re: (Score:3, Informative)
Really? Because there is discussion between developers (not just fanboys like yourself) about it existing and being fixed in chome because its likely a webkit issue, not Safari.
Of course, I don't know that for a fact because its too soon to tell, but that didn't stop you from spouting some ignorant bullshit so why should it stop me?
Its a bug in the javascript and dom code ... which ... g
Re: (Score:1, Interesting)
Isn't this a bug in Safari, not Webkit? As such, it's Apple's responsibility, not the F/OSS community's.
Re: (Score:1)
Your post would make sense if the majority of the work done on Webkit and Firefox was not done by professionals.
Re: (Score:2, Insightful)
Your post [about F/OSS software being safer due to the "many eyes" phenomenon] would make sense if the majority of the work done on Webkit and Firefox was not done by professionals.
I don't think any definition I've seen of Free/Open Software includes anything at all about the professional status of the programmers.
In fact, much of the work on the most popular F/OSS packages is done by "professional" programmers. This is widely understood as a way to improve your public image and résumé, since it
Re: (Score:2, Informative)
If you are going to shove words into my post, shove the words I was replying to into my post:
Could it be that the job is simply to complex for most non-professionals and that the open source model has reached the end of it's useful life?
Re: (Score:1)
Re: (Score:2, Insightful)
Then they have the networking part, that communicates to servers, opening several sockets at a time and coordinating their retrieval. And they have to be able to do it with HTTP1.0 or HTTP2.0. And they have to be able to handle weird HTTP things
Re: (Score:2, Insightful)
In short, if I had a choice between writing a kernel and guaranteeing that it was vulnerability-free, and writing a browser and guaranteeing it was vulnerability-free, I would take the kernel any day. It's a significantly easier piece of software.
The kernel (let's use Linux as an example) is significantly higher quality, not because it is a simpler piece of code but because it is written by people who aren't morons and actually care about robustness. A web browser has a lot of spec cruft to contend with,
Re: (Score:2)
Re: (Score:3, Insightful)
I've written my own kernels for microcontrollers and I've done a fair amount of embedding Gecko and now Webkit.
Embedding Gecko pretty much means you have to become a browser dev because mozilla is full of idiots but I digress.
I would, without any doubt in my mind, write kernel code over browser code.
Kernel code is freaking EASY compared to a browser. I'm more confident in fake 'memory protection' I can create without an MMU than I am of anything in a browser, and I know the fake memory protection is trivia
Re: (Score:2)
After that, they have to be able to parse at least three different image types (and image parsing libraries are a great place to look for vulnerabilities because they are complex and the data is hard to validate). And they have to be able to interact with the OS in some way to allow movie and audio playing. And flash. And Java Applets. And any other weird plugin.
says who ? why does this level of interaction have to deal with the os level ? WTF ? Why do application layer programs have to crash the whole box . please tell me why ?
Re: (Score:2)
Re: (Score:2)
why does this level of interaction have to deal with the os level ?
How exactly does the browser play video and audio without the OS? Should browsers come with their own audio and video drivers now?
Re: (Score:2)
That's because embedded software has the equivalent of drivers packaged with it, because they only need to work on a single known platform. Firefox isn't going to ship drivers for all known video and audio hardware in order to avoid needing to use the OS, which already has those drivers.
Re: (Score:3, Insightful)
I don't disagree with your main point that web browsers are very complex. However, the above quote is pure hyperbole. There are many types of software that make web browsers look like child's play. Among them, I would say, are avionics software, flight software for satellites, etc. Those are just a couple examples - I'm sure there are quite a few others.
Re: (Score:2)
I would argue that avionics software and flight software for satellites is actually simpler than a browser. The difference is that it has unbelievable levels of documentation and testing. When I was working with avionics software, the FAA simply forbade dynamic memory allocation for critical software. They have lightened up a bit and now allow memory to be allocated at initialization, but that's it. The important thing for this type of software is that it is predictable and deterministic. If the softwa
Re: (Score:2)
Re: (Score:2)
I've worked primarily with display systems. Much of the complexity is in input validation and source selection. If you have a valid source, then you display the value otherwise you throw up a red "X". You don't try to guess what should be displayed like some web browsers do (and this adds complexity for the web designed since each browser guesses differently).
Since dynamic memory is forbidden or strictly controlled, the complexities of memory management are avoided. This would be for critical avionics s
Re: (Score:2)
I've done some work on avionics displays code too, and from what I saw, the displays code is one of the least complicated parts of a typical avionics system. But that doesn't paint an accurate picture of the avionics system as a whole. Other parts, such as flight controls, vertical profile, the terrain avoidance system, etc are an order of magnitude more complex.
Also, there seems to be a tendency in this thread to equate complexity with convoluted code. Convoluted code can be quite complex, but is often unn
Re: (Score:2)
Re: (Score:2)
Re:So..'many eyes make bugs shallow'? (Score:4, Insightful)
After that, they have to be able to parse at least three different image types (and image parsing libraries are a great place to look for vulnerabilities because they are complex and the data is hard to validate). And they have to be able to interact with the OS in some way to allow movie and audio playing. And flash. And Java Applets. And any other weird plugin.
All of these are certainly complex requirements which could understandably lead to bugs.
What it is not acceptable is for bugs in a data processing algorithm - say, image rendering - to even be able to lead to vulnerabilities.
There is no logical need, for example, for a JPEG parser to even conceivably trigger arbitrary code execution if the programmer makes an off-by-one error in an array subscript. It's simply irrelevant to the task of that code. It should be literally impossible to make a mistake in such code in such a way as to trigger code execution.
Because Internet programming is so complex that if vulnerabilities are not made impossible, they are a certainty, and a certain vulnerability times the size of the Internet mean even the smallest mistake is no longer tolerable. Humans simply can't work with that degree of precision, nor should they ever need to. This is exactly what we built computers for: to take over the repetitive drudge work which we can't do without error. So while a programmer can be assured to make errors, it's the job of the language to make it impossible for errors in data manipulation to lead to logically-unrelated weirdnesses like code execution.
Surely this isn't rocket Turing Machine science. We don't have to solve the halting problem to get rid of buffer overflows, do we?
Re: (Score:2)
Can you point me to some resources (like, say, the RFC) for HTTP 2.0? I'm having trouble finding any evidence that it exists...
Re: (Score:2)
Browsers are about the most complex piece of software you will find anywhere
So much the better then to keep them simple by omitting useless features like autofill. I don't need my browser to remember my personal information for me. (Seriously, who needs help typing in their own name!?) This is is a gimmicky feature thrown in to impress rubes. It is near worthless for legitimate use and and a crack waiting to happen.
Re: (Score:2)
Re: (Score:2)
Meanwhile, you are using appeal to popularity to justify stupidity and laziness.
No, I'm saying form follows function, not the other way around. If you learn what that means, you will be a better programmer (assuming you are a programmer).
Re: (Score:2)
You are kind of funny, you don't even seem to want images in browsers. Really?
So once again, let me try to say it a different way: computers were built for people, not people for computers. Eventually (with HTML 5 and beyond) the browser is going to be a platform for network applications (which we will call web applications). Now, I admit that HTML and javascript ar
Re: (Score:2)
Re: (Score:2)
Re:So..'many eyes make bugs shallow'? (Score:4, Insightful)
Umm... WHAT? Sorry to burst your conceit bubble there, Sparky, but... "Many eyes make bugs shallow" does not apply to Safari, because Safari is not open source software.
Webkit (the open source rendering engine that Safari uses) is not vulnerable. Chrome and Chromium (also built on Webkit) are also not vulnerable. Webkit is fine, at least in regards to this vulnerability.
Safari (the closed-source browser built on Webkit) is vulnerable.
This is a closed-source software bug that has been reported to the vendor.
I don't disagree that all software has bugs. That's going to be true. But this is an example of the opposite.
Re: (Score:3, Informative)
Umm... WHAT? Sorry to burst your conceit bubble there, Sparky, but... "Many eyes make bugs shallow" does not apply to Safari, because Safari is not open source software.
Webkit (the open source rendering engine that Safari uses) is not vulnerable. Chrome and Chromium (also built on Webkit) are also not vulnerable.
Well, yes and no.
Jeremiah Grossman said...
@Anonymous, Tom: I believe this may be a WebKit issue and not just Safari. While it is difficult to confirm now, I suspect this technique did in fact affect Chrome. Had some discussions with Google a while back surrounding this topic and recall them finding/fixing something, but I don't really get all the details straight. Will have to find an older Chrome version somewhere to confirm...
@anonymous: this hack may have worked on Chrome at one time, but no longer. Trying to confirm, but difficult to get old OS X copies. :)
Re: (Score:1)
Not mad, just making a point. ;)
It is the free rider problem (Score:2)
The problem is that the people who use firefox are not cut from the same cloth as the people who develop it.
GCC is a robust and powerful compiler because the people who use it can fix it when it is broken and improve it.
The vast majority of those who use firefox and other such products are utterly incapable of fixing problems, or even of identifying when there is a problem.
Re: (Score:1)
GCC is a lot more complicated than a browser, compilers are very tricky tools to make. A lot of users that can code C certainly wouldn't be able to make a compiler without training in that area (the difference between a CS degree and a software engineering degree). On top of that GCC is a whole load of compilers, assemblers and processors not to mention the optimizers. Add the question of how does one compile a compiler without the compiler, then one realises that just the build process is nastily complica
Re: (Score:1)
Re: (Score:2)
Could it be that the job is simply to complex for most non-professionals
s/non//
I think reality is showing us that programming in the modern Internet's always-on, concurrent environment in non-thread-and-memory-safe languages is not merely difficult for amateurs, but impossible for even professionals to do safely.
I also think the answer will have to involving throwing out the von Neumann model, since we're manifestly living in a very non-von Neumann environment. Stuff happens all at once in a single giant massively-connected network of communicating processors (ie, the Internet)
Re: (Score:2)
s/non//
So, most -profesionals? How... -professional of you.
Sorry, I couldn't resist when there's a bug in your joke regex about software development being hard...
(Maybe Erlang?)
Not till it has better Unicode support, at the very least.
We have Algol-descended languages based on the control-flow idea of 'do this thing, then that thing, in my private resource space',
JavaScript still functions more or less like this. Try developing a Chrome extension -- if you want to communicate between tabs, you're going to end up sending messages. Granted, it's not going to be nearly as efficient as Erlang if you're handling large data structures...
Me, I'm waiting for someth
Re: (Score:2)
Because Safari is not an Open Source browser. No one but Apple can look at all of Safari's source code let alone submit a fix. Thus the old canard remains unchallenged, this is not endemic to WebKit or KHTML as it's affecting Safari only so I'd say the issue is in Apple's code, not the Open Source code.
In a word, yes. (Score:2)
But don't take my word for it. [google.com]
Only if you put the data there to begin with... (Score:2)
Who fills out all their personal information into OS X's address/contact listing? I certainly don't
Re: (Score:2, Informative)
Even if you've never used the Address Book app this information could be in there. In the OS X first-launch setup dialog it asks for your real name, and that gets automatically inserted into the address book. I'd wager that most people who use Macs have done this, so their real names are accessible to any website using this technique.
Additionally, though this is less likely, if you fill out the registration form during setup I believe that information also goes into the address book, so there's your home
Re: (Score:1)
OK, fair enough, but (assuming you use Safari), this issue goes a little deeper...
What information have you filled into web forms? Is Safari set up so it remembers that information?
Sure, your name and address may be safe from the address book, but have you ever entered your name and address on a site and had it remembered?
If you use Safari and you wish to continue using it, it's a very, very good idea to read the first article and turn off the "remember stuff in web forms" immediately, and keep it off until
Re: (Score:2)
I do. It's a rather useful feature.
That I will be using again once this bug is fixed. :P
Re: (Score:2)
I know it's hard to believe, but just because you don't use a particular feature of an OS, it's just barely possible that others do.
"If you use Safari, (Score:5, Funny)
Phew. That takes care of everyone.
Re: (Score:3, Funny)
Well, everyone worth taking care of, at least.
Re: (Score:2)
Bug? (Score:3, Funny)
Just don't hold it like that.
Re: (Score:2)
Re: (Score:1, Funny)
I use Safari in Windows (gasp!)
There, fixed it for you
Re: (Score:2)
How do you know you haven't already had the information taken from you?
Re: (Score:2)
How do you know you haven't already had the information taken from you?
You don't know if you've had info taken from you, either. What do you do about it?
Re: (Score:2)
I don't use Safari so I know this particular exploit hasn't worked on me. Improves my chances, at least.
Re: (Score:2)
Heh. It is interesting that odds fluctuate based on what you don't know.
Re: (Score:2)
Yep. General statistics. If you watch the movie 21, he'll explain variable change.
*situation is that he's hypothetically offered a car that is behind 1 of 3 doors. After choosing one, the host of the show opens one of the doors to reveal nothing. Now does he want to stick with his choice or change it.*
Micky Rosa: He says, "Ben, do you want to stay with door number one or go with door number two?". Now, is it in your interest to switch your choice?
Ben Campbell: Yeah.
Micky Rosa: Well wait, the host knows where the car is. So how do you know he's not trying to play a trick on you - trying to use reverse psychology to get you to pick a goat?
Ben Campbell: Well I wouldn't really care. I mean, my answer's based on statistics - based on variable change.
Micky Rosa: Variable change? But he just asked you a simple question.
Ben Campbell: Yeah, which changed everything.
Micky Rosa: Enlighten us.
Ben Campbell: Well, when I was originally asked to pick a door, I had a 33.3% chance of choosing right. But after he opens one of the doors and re-offers me the choice, it's now 66.7% if I choose to switch... So yeah, I'll take door number two and thank you for the extra 33.3%.
Re: (Score:2)
Heh nice. I'm thinking of Red Dwarf. The ship's blowing fuses all over the place. They escape in Starbug. Lister says "We're just leaving as a precaution. That ship has all these redundant backups and safety devices, the odds of the ship actually exploding are one in...." *ship explodes* "... One."
Re: (Score:2)
Do I still count as a Safari user?
Re:"If you use Safari, (Score:4, Informative)
Yeah, because no one has an iPhone or iPad.
Naccio said...
@ Jeremiah Grossman: Does it work with iPad, iPhone or iPod browser?
July 22, 2010 11:56 AM Jeremiah Grossman said...
@naccio: no, it does not. Mobile Safari's behavior is different.
Not the whole address book (Score:2, Informative)
and the data that this feature has access to includes the user's local address book
The only card that can be read is the "Me" card, not the whole address book.
Re: (Score:2)
Re: (Score:2)
I'm mad as hell... (Score:2)
Re: (Score:1, Redundant)
Only a few users' privacy was violated (Score:3, Funny)
Arthur J. Smith, 30612 Jethro Lane, Biscuitbarrelville Connecticut,
James Walker, 26318 Adrian Telescope Road, Harpenden Maine
Why would anyone use autofill? (Score:2)
Seems to me that autofill creates a database of personal information that is accessible by the Internet and dependent on a browser's security model. Does any kind of software have a worse record for security than Web browsers? (Maybe e-mail clients?)
The first thing I do in any browser is turn off autofill for all fields. Anything I need to type into a form is either already in my head or I can look it up easily (credit card number for instance). Either way, it's personal info that IMO does not need to be at
Overblown? (Score:2, Redundant)
The only time the data is given to the browser is when you've already started typing it. Iirc you have to enter one field and then tab to the next. So if you're giving this data anyway it's not really a vulnerability. The only potential victims are people who start entering data and then decide not to. Worth paying attention to, but not exactly a huge problem.
Re: (Score:2)
Yea - so they have to guess my name first. Might as well be a password - I'm really not to worried.
proud to be! (Score:1, Offtopic)
But seriou
Re: (Score:2)
It goes a little bit beyond that. Entirely automatic autofill is usually tied to a specific site, everything else is autocomplete. In this case, the attack is to create an input named "name" and insert the letter A in there. If the victim's name starts A, Safari goes beyond the usual dropdown of options that other browsers use for autocomplete and inserts the whole name directly in the field. If it doesn't, then the attack javascript erases the A and writes B, and so on.
It's not a webkit bug. Chrome wi
Re: (Score:2)
Re: (Score:2)
I use it once in a while to test compatibility with web applications I'm developing, but even then I find it frustrating to use. Perhaps it is just the windows version, but buttons never respond quickly, in general the browser just feels slow and heavy, and the fact that F5 doesn't refresh a page annoys the hell out of me (as I use it constantly in every other browser)...
It's not just the windows version, on OS X the Safari reload shortcut is [cmd]+R. The reason for this is that on many Apple computers the F keys are accessed via an [fn] modifier button on the keyboard since their default function os for Volume/Media player/Sreen-brightness control etc. You can change them to work as F keys by default in System Preferences. You aren't complaining about Safari being broken you are complaining about it not behaving like a windows App which is not a bug, it's just different. I