Safari Vulnerable to Auto-Fill Security Bug (Again)

You might remember that Apple's Safari browser got hit by a nasty security bug involving its text auto-fill feature in late July. Apple squashed this bug with the Safari 5.0.1 update, but according to the researcher who discovered the auto-fill flaw in the first place, the bug is back.

According to Jeremiah Grossman, the founder of WhiteHat Security, this flaw is a slight variation on the original auto-fill flaw that allowed malicious Websites to harvest your personal information--such as your name, address, workplace, and e-mail address--without you knowing, even if you've never visited the site before.

The new version of this hack is less "automatic" than the initial one, according to Grossman, but a hacker just needs to perform a little social engineering to get a hapless Web user to give up their personal details.

As before, Grossman suggests that, if you use Safari, you should disable form auto-fill to avoid getting taken by this bug. To do so, go to the "Gear" menu in Safari's toolbar and select Preferences (on Mac OS X, go to the Safari menu). Click AutoFill in the toolbar, and uncheck all three boxes.

It's just another reminder that you can't trust anyone--or anything--online. If you want to learn more about the technical nitty-gritty, see Grossman's blog post on the topic.

[via MacRumors]

Subscribe to the Security Watch Newsletter

Comments