As if problems with iPhone antennas wasn’t enough, Apple now has a new worry. A serious security flaw with their Safari browser that only affects Mac users. Jeremiah Grossman found the flaw and describes it in his blog:
Right at the moment a Safari user visits a website, even if they’ve never been there before or entered any personal information, a malicious website can uncover their first name, last name, work place, city, state, and email address. Safari v4 & v5, with a combined market browser share of 4% (~83 million users), has a feature (Preferences > AutoFill > AutoFill web forms) enabled by default. Essentially we are hacking auto-complete functionality.
Charming. But Grossman did the responsible thing and reported it to Apple. But…:
I figured Apple might appreciate a vulnerability disclosure prior to public discussion, which I did on June 17, 2010 complete with technical detail. A gleeful auto-response came shortly after, to which I replied asking if Apple was already aware of the issue. I received no response after that, human or robot. I have no idea when or if Apple plans to fix the issue, or even if they are aware, but thankfully Safari users only need to disable AutoFill web forms to protect themselves.
Lovely. Another example of Apple dropping the ball when it comes to security…. Again. It gets worse. There’s proof of concept code floating around for this. Just go to this website to see the exploit in action. Just bring Safari on your Mac and see what happens next.
If you want to protect yourself, you have two choices:
- Go to preferences > Auto-fill, and uncheck “Use info from my Address Book card” if you want to keep using Safari on your Mac
- Switch to another browser. Chrome and Firefox would be my choices.
Choose wisely.