Safari Autofill Exploit Allows Data Theft

The Safari web browser's AutoFill feature is capable of revealing personal user information to cyber criminals, a security researcher has warned.

Jeremiah Grossman, the chief technology officer of WhiteHat Security, wrote on his blog that the AutoFill feature of Apple's Safari web browser 4 and 5 can used by malicious websites to collect a user's first name, last name, location and other personal account information relating to banking or social networks.

The AutoFill feature, which is activated by default, automatically fills user information including location and full name, from users' personal records stored in the computer's local address book.

Grossman explained that in order to get the user information from the web browser, all the malicious website has to do is “dynamically create form text fields with the aforementioned names, probably invisibly, and then simulate A-Z keystroke events using JavaScript.”

As soon as the form is automatically filled, all the data can then be sent to the hacker.