Safari users beware: Default settings are dangerous

Safari users - turn off your AutoFill option at once. It's probably on as this is the default setting.

9 to 5 Mac is reporting that by leaving the feature on, you are opening yourself up to a world of cyber nasties, just waiting to steal all of your details.

Jeremiah Grossman details how the security glitch happens:

"These fields are AutoFill'ed using data from the users personal record in the local operating system address book. Again it is important to emphasize this feature works even though a user never entered this data on any website.

"Also this behaviour should not be confused with normal auto-complete data a Web browser may remember after its typed into a form. All a malicious website would have to do to surreptitiously extract Address Book card data from Safari is dynamically create form text fields with the aforementioned names, probably invisibly, and then simulate A-Z keystroke events using JavaScript.

"When data is populated, that is AutoFill’ed, it can be accessed and sent to the attacker. The entire process takes mere seconds and represents a major breach in online privacy. This attack could be further leveraged in multi-stage attacks including email spam, (spear) phishing, stalking, and even blackmail if a user is de-anonymized while visiting objectionable online material".

The security flaw has been known about for a year now although it isn't yet clear why it has taken so long for knowledge to reach the public domain.

But you know now, so get it turned off.



>