Apple Patches Safari AutoFill Bug
Apple has patched a vulnerability in its Safari browser just 24 hours before the flaw was to be presented to Black Hat security conference
Apple has left it to the last minute after the company patched a bug in Safari just 24 hours before it featured in a researcher’s presentation about browser exploits.
The Safari AutoFill flaw was among 15 fixed by Apple 28 July in a Safari update.
All but two of the bugs reside in the WebKit browser engine. Several of the WebKit bugs could lead to arbitrary code execution, such as a memory corruption issue in WebKit’s handling of regular expressions that could be used by a malicious site to execute code.
AutoFill Flaw
Much of the attention, however, has focused on the AutoFill flaw, which will be part of a presentation 29 July by WhiteHat Security CTO Jeremiah Grossman at the Black Hat security conference in Las Vegas. By taking advantage of what Apple called an “implementation issue,” Grossman discovered, it was possible for attackers to abuse Safari’s AutoFill feature to swipe names, addresses and other information from Safari users.
The AutoFill feature fills in information such as email addresses and names by default when it recognises a form. The feature pulls the data from the local operating system address book to automatically fill HTML form text fields with specific attribute names such as name and city.
According to Apple, an implementation issue exists that allows a maliciously crafted website to trigger AutoFill without user interaction and that can result in the disclosure of information from the user’s Address Book Card.
Apple Fix
In a blog post 21 July, Grossman noted, “All a malicious website would have to do” to steal the Address Book card data is “dynamically create form text fields with the aforementioned names, probably invisibly, and then simulate A-Z keystroke events using JavaScript. When data is populated that is AutoFilled, it can be accessed and sent to the attacker.”
At Black Hat, Grossman said it seemed like Apple had fixed the bug. In his talk, he will demonstrate how attackers can hack the auto-complete features of popular browsers, including Internet Explorer and Firefox, to get information.
