Safari Autofill Full of Fail
Jul 23, 2010 11:37 AM PT
Safari's Autofill feature, which can be set to automatically insert a user's data such as name and address into Web forms, could expose users to theft of their personal information, according to security expert Jeremiah Grossman.
Grossman, the founder and CTO of security firm WhiteHat, wrote in his blog that the feature autofills HTML form text fields with specific attribute names such as "name," "company," "city," and "state." It works even though the victim has not entered this data on any website.
It's been known since 2006 that the Autofill feature on a browser could be a security risk.
Stealing Data With Safari Autofill
Safari browser users can have their data stolen the moment they visit malicious websites, even if they've not visited those sites before or entered any personal information, Grossman wrote.
Once the webform has been autofilled, the data can be sent to the attacker, Grossman wrote.
"The entire process takes mere seconds and represents a major breach in online privacy," Grossman wrote. Multi-stage attacks, including email spam, spearphishing, stalking and blackmail, could be launched using this technique, Grossman wrote.
Such attacks could be easily and cheaply distributed on a large scale using an advertising network "where likely no one would ever notice because it's not exploit code designed to deliver rootkit payload," Grossman wrote. There is no guarantee this type of attack hasn't already taken place, he said.
"This feature just makes it easier for criminals to do mass collections of information that they can later sell, and compromise your identity," said Rob Enderle, principal analyst at the Enderle Group.
However, the Autofill attack can't obtain data beginning with a number, such as phone numbers or street addresses because "for some reason the data would not populate in the text field," Grossman wrote.
Any Apple Polishing Yet?
Grossman notified Apple on June 17 and received an autoresponse but hasn't heard from Apple since, he wrote.
"Apple has been substantially less aggressive publicly with security issues than either Mozilla or Microsoft for over a decade," Enderle pointed out. "It seems to practice the 'don't ask, don't tell' process of threat mitigation in general, which means we are never sure what they actually know with regard to problems," Enderle told MacNewsWorld.
Perhaps Apple has good reason to downplay security threats.
"The Mac market share has been small enough that it would take a large percentage of Mac users complaining for a problem to be seen as needing to be addressed," Randy Abrams, director, technical education at ESET, told MacNewsWorld.
"I suspect that more than 90 percent of Mac users are completely unaware of the issue so, even if they did care, they don't know to care," Abrams added.
Autofill Attack Targets
Apparently, the attack doesn't work on the browser used in iOS, the operating system Apple uses for the iPhone, iPad and iPod touch, according to one reader's comment on Grossman's blog. Further, some readers weren't able to duplicate the attack on Safari 5, although others were.
Other browsers may not be threatened by the Autofill attack.
"I am not aware of the problem affecting other browsers," ESET's Abrams said. "I believe that Safari is unique in linking to the address book by default."
Practicing Safe Mac Use
The solution to this problem seems to be easy enough: Mac users just have to turn off the Autofill feature in their Safari browsers.
"That's true, but who wants to turn off Autofill?" Enderle asked. "That is one handy feature."
However, turning off the Autofill feature isn't enough.
"In theory, that's the solution, but users should delete the contents of their address book in the Mac OS and use a third-party address book that's not linked to a browser," ESET's Abrams said.
Users should review the settings of their Web browsers and other applications, Abrams recommended. "There's no guarantee that when the next version of Safari comes out, it won't revert to default settings," he pointed out.
Even if users select another browser, such as Firefox, they need to check the default settings, Abrams warned.
"Users will never be sure of remaining safe or maintaining their privacy if they do not review their browser settings and change them to enhance security and privacy from the lax default settings the browsers ship with," Abrams remarked.
"Don't use autofill for information such as passwords, birth dates, Social Security numbers, credit card validation numbers and credit card expiration dates," Enderle said. "If you wouldn't put it on Facebook, it shouldn't be in Autofill."
Nothing New Under the Sun?
The danger of the Safari Autofill feature was disclosed as early as April 2009 by Swiss software developer and entrepreneur Patrice Neff.
He wrote some HTML code to conduct an autofill attack that would steal a user's birthdate and posted it on his blog.
Indeed, the Autofill feature's dangers were being discussed on the Internet as far back as 2006.
Why has nobody done anything about this?
"The Autofill feature is really handy and people will often take a very real benefit when it's offset only by a very murky risk," Enderle said.