As if problems with iPhone antennas wasn’t enough, Apple now has a new worry. A serious security flaw with their Safari browser that only affects Mac users. Jeremiah Grossman found the flaw and describes it in his blog:
Right at the moment a Safari user visits a website, even if they’ve never been there before or entered any personal information, a malicious website can uncover their first name, last name, work place, city, state, and email address. Safari v4 & v5, with a combined market browser share of 4% (~83 million users), has a feature (Preferences > AutoFill > AutoFill web forms) enabled by default. Essentially we are hacking auto-complete functionality.
Charming. But Grossman did the responsible thing and reported it to Apple. But…:
I figured Apple might appreciate a vulnerability disclosure prior to public discussion, which I did on June 17, 2010 complete with technical detail. A gleeful auto-response came shortly after, to which I replied asking if Apple was already aware of the issue. I received no response after that, human or robot. I have no idea when or if Apple plans to fix the issue, or even if they are aware, but thankfully Safari users only need to disable AutoFill web forms to protect themselves.
Lovely. Another example of Apple dropping the ball when it comes to security…. Again. It gets worse. There’s proof of concept code floating around for this. Just go to this website to see the exploit in action. Just bring Safari on your Mac and see what happens next.
If you want to protect yourself, you have two choices:
- Go to preferences > Auto-fill, and uncheck “Use info from my Address Book card” if you want to keep using Safari on your Mac
- Switch to another browser. Chrome and Firefox would be my choices.
Choose wisely.
Google To Be Fined Millions Over Safari Breach
Posted in Commentary with tags FTC, Google, Privacy, Safari on May 5, 2012 by itnerdBloomberg is reporting that the Federal Trade Commission will fine Google for its breach of Apple’s Safari web browser security. You might recall that happened a little while back. Now the word is that the fine could be as much as $19 million.
The FTC is preparing to allege that Mountain View, California-based Google deceived consumers and violated terms of a consent decree signed with the commission last year when it planted so-called cookies on Safari, bypassing Apple software’s privacy settings, the person said.
Sucks to be them. But given the fact that Google has a history of playing fast and loose with the privacy of its users, they deserve it.
Leave a comment »