Safari AutoFill Security Issue Rears Its Head Once Again
Back in July, security researcher Jeremiah Grossman revealed a security issue that could allow malicious parties to take advantage of Safari's AutoFill feature to extract personal information from users' Address Book entries. At the time, Grossman reported that his report to Apple had gone essentially unacknowledged for nearly a month, but just six days later Apple released Safari 5.0.1 and 4.1.1 to address the problem.
Screenshot of Grossman's proof-of-concept test of new AutoFill exploitGrossman
now reports that he has discovered another similar AutoFill security issue that, while requiring the malicious party to trick users into providing a pair of keystrokes rather than being completely automated as in the previous exploit, offers an even more efficient means for users' personal information to be obtained.
To perform our attack requires tiny bit of end-user trickery. Two button presses to be precise. A malicious website detects (ie: IP address) the country the victim is from. For our purposes here we'll assume the "US." The attacker invisibly (CSS transparency) sets up the aforementioned form and forces the keystroke focus into the country element. Notice how this is done in the video on the right side of the screen, which only visible for demonstration purposes. Next the attacker entices the victim to type "U" (first character of "US") and then press "TAB." And BAM! That's it! Data stolen.
Grossman relates that he notified Apple of the newly-discovered exploit via email on August 10th and again a few days later. One week after that, he received a phone call from an Apple product security engineer with whom he had a "productive chat" about how the original vulnerability report from June had been handled, only to discover at the end of the conversation that the engineer had no idea that Grossman had reported the second issue a week and half prior.
As with the earlier exploit, users can protect themselves by simply turning off the AutoFill option to automatically populate forms with information from their Address Book cards. Grossman notes, however, that he is unsure how Apple plans to address the vulnerability while still maintaining the convenience of the AutoFill feature. While Apple's previous patch allowed Safari to automatically differentiate from the automated JavaScript-simulated keystrokes from real keystrokes, thus thwarting the original exploit, the new exploit relies on tricking the user into actually entering the necessary keystroke, a tactic that could be more difficult to address.
Popular Stories
iOS 18.3 should be released to the public next week, following beta testing since mid-December. While the software update is a relatively minor one, it still includes a handful of new features, changes, and bug fixes for iPhones.
Below, we recap everything new in iOS 18.3.
Notification Summary Changes
Examples of inaccurate Apple Intelligence notification summaries
Apple Intelligence...
Apple is set to release iOS 18.3 next week, bringing further refinements to Apple Intelligence features, a couple of neat new capabilities to iPhone 15 Pro and iPhone 16 devices, and bug fixes.
While not quite as packed with new features as Apple's preceding iOS 18 point releases, iOS 18.3 still introduces capabilities that aim to make your iPhone smarter and more intuitive. Below, we've...
iOS 18.3 is expected to be widely released next week, and that means the first iOS 18.4 beta for iPhones should be just around the corner.
Apple has previously implied that iOS 18.4 will be released in April, as that is when it promised to make Apple Intelligence available in even more languages.
Below, we outline what to expect from iOS 18.4 so far.
Apple Intelligence for Siri
Siri ...
Walmart still does not accept Apple Pay or other NFC payments at its more than 4,600 stores across the U.S., and it stood firm on its reasoning for that today.
A spokesperson for Walmart today informed MacRumors that its position on contactless payments has not changed since we last reached out about the matter in 2022. The big-box retailer said it remains focused on its own convenient...
A new Apple TV is expected to be released later this year. In this article, we recap rumored features and changes for the device.
The next Apple TV will be equipped with Apple's own combined Wi-Fi and Bluetooth chip, according to Bloomberg's Mark Gurman. He said the chip supports Wi-Fi 6E, which would be an upgrade over the current Apple TV's standard Wi-Fi 6 support. Wi-Fi 6E extends the...
Apple provided developers and public beta testers with the release candidate version of iOS 18.3 today, and with it comes release notes confirming what's new. While we knew about several of the features that are in the update, there are some lesser known tweaks and bug fixes.
The update adds new Visual Intelligence features for iPhone 16 models, it tweaks Notification summaries on all...
The upcoming iPhone 17 models that Apple plans to release this year will not feature a smaller Dynamic Island, Apple analyst Ming-Chi Kuo said today.
On social media, he said that he is expecting the size of the Dynamic Island to remain "largely unchanged" across the iPhone 17 lineup. His statement is contrary to prior rumors that we've heard about planned changes for the iPhone 17 models.
...
Apple's retail stores will be rolling out "merchandise/floor marketing updates" next week, according to Bloomberg's Mark Gurman.
Gurman did not explicitly say if the store updates are related to any upcoming product announcements, but he did mention that next week is around the time that Apple rolls out its annual Black Unity watch band for the Apple Watch.
In each of the past four years, ...
It's also time for Apple's first product announcement of the year.
Last year, Apple said it would be launching Powerbeats Pro 2 in 2025, and the wireless earbuds are expected to launch very soon.
Powerbeats Pro 2 images found in iOS 18 code
In his Power On newsletter last weekend, Bloomberg's Mark Gurman said the Powerbeats Pro 2 are "due imminently." In addition to Apple filing the...
