A new security vulnerability has been found in Apple Safari’s Autofill feature, which can allow malicious websites to extract users personal information from their Address Book.
“All a malicious website would have to do to surreptitiously extract Address Book card data from Safari is dynamically create form text fields with the aforementioned names, probably invisibly, and then simulate A-Z keystroke events using JavaScript. When data is populated, that is AutoFill’ed, it can be accessed and sent to the attacker” wrote security researcher, Jeremiah Grossman.
Grossman submitted the vulnerability to Apple on 17th June, but Apple is yet to comment on the issue. Grossman has also released proof-of-concept code illustrating how the vulnerability works.
The vulnerability affects both Safari 4 and Safari 5 on Mac computers, with no patch in sight from Apple.