Safari’s AutoFill options are enabled by default to fill web forms with your name, email address, physical address, phone number, and other details that you store in your personal Address Book card (you can find these options under Safari -> Preferences -> AutoFill). Start typing the first couple of letters in your name, or the first number of your street address, and Safari will automatically fill out the rest to help you complete the form more quickly.
As reported by InformationWeek, WhiteHat Security founder and CTO Jeremiah Grossman described on his blog how a malicious hacker could take advantage of Safari’s AutoFill feature. You may remember Grossman from his discovery of other browser security exploits, such as “clickjacking” in 2008. A frequent research colleague, Robert Hansen, set up a harmless proof-of-concept site so that you can watch the exploitation in action. (You can find a link to the proof of concept, should you be so inclined, via Grossman’s blog above.)
Basically, a maliciously crafted web form can cycle through letters and numbers in each text entry field until it triggers Safari’s auto-fill functionality. The form can then be automatically submitted to the hacker so the information can be be sold to spammers and otherwise exploited.
Grossman blames a flaw in WebKit, the open-source engine that powers Safari on both the Mac and iOS devices, as well as Google’s Chrome browser and other mobile devices. However, Hansen’s proof-of-concept site does not appear to work on the most recent version of Chrome; that may be because Chrome does not tie into Apple’s Address Book for auto-filling like Safari does. Also, on the mobile version of Safari, you apparently have to consciously tap the AutoFill button.
Fortunately, there’s an easy way to defend against the malicious exploitation of Safari’s AutoFill feature. You can simply disable the “Using info from my Address Book” option in the AutoFill preferences pane.
Grossman wrote in his blog post that he alerted Apple about this exploitation of Safari’s auto-fill feature on 17 June. So far, all he has received is an automated reply. While this sounds like it’s mainly just exploiting a feature designed for convenience and not technically a bug, it still seems that Apple may need to tweak Safari’s AutoFill feature to prevent this behaviour.