It appears that the Safari 5.0.1 update fixes the AutoFill security bug that we reported on last week. The flaw allowed malicious websites to gain access to users’ Address Book information via Safari’s AutoFill feature. Impact: Safari’s AutoFill feature may disclose information to websites without user interaction Description: Safari’s AutoFill feature can automatically fill out […]
" />

Quick Note: Safari Update Fixes AutoFill Security Bug

It appears that the Safari 5.0.1 update fixes the AutoFill security bug that we reported on last week. The flaw allowed malicious websites to gain access to users’ Address Book information via Safari’s AutoFill feature.

Impact: Safari’s AutoFill feature may disclose information to websites without user interaction

Description: Safari’s AutoFill feature can automatically fill out web forms using designated information in your Mac OS X Address Book, Outlook, or Windows Address Book. By design, user action is required for AutoFill to operate within a web form. An implementation issue exists that allows a maliciously crafted website to trigger AutoFill without user interaction. This can result in the disclosure of information contained within the user’s Address Book Card. To trigger the issue, the following two situations are required. First, in Safari Preferences, under AutoFill, the “Autofill web forms using info from my Address Book card” checkbox must be selected. Second, the user’s Address Book must have a Card designated as “My Card”. Only the information in that specific card is accessed via AutoFill. This issue is addressed by prohibiting AutoFill from using information without user action. Devices running iOS are not affected. Credit to Jeremiah Grossman of WhiteHat Security for reporting this issue.

The reporter, Mr. Grossman, reported the issue to Apple on June 17th, but went public with the find just last week. Apple acknowledged the flaw soon after, and stated that a fix was on the way.

Continue reading:

TAGS: