homepage Welcome to WebmasterWorld Guest from 54.167.75.155
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Browsers / Apple Safari
Forum Library, Charter, Moderator: open

Apple Safari Forum

    
Safari Vulnerability: Auto-complete Content can be Hacked!
Auto fill can give up personal info
willybfriendly




msg:4174951
 8:11 pm on Jul 22, 2010 (gmt 0)

WhiteHat has disclosed a critical security vulnerability in Apple's Safari browser that could allow hackers to extract personal information from the OS X address book.


TG Daily [tgdaily.com]

Also PC World, ZDNet, et al

 

tedster




msg:4174979
 8:50 pm on Jul 22, 2010 (gmt 0)

The original credit for reporting this should go to Jeremiah Grossman [jeremiahgrossman.blogspot.com]

It seems that a malicious website can uncover a Safari user's name, work place, city, state, and email address by hacking the auto-complete function.

And for the record, he did the honorable thing and let Apple know last month - before going public this month.

I figured Apple might appreciate a vulnerability disclosure prior to public discussion, which I did on June 17, 2010 complete with technical detail. A gleeful auto-response came shortly after, to which I replied asking if Apple was already aware of the issue. I received no response after that, human or robot.

Demaestro




msg:4175014
 9:31 pm on Jul 22, 2010 (gmt 0)

According to Ars and Secunia Apple has just .....

displaced Oracle as the company with the most security vulnerabilities in its software

....


Though this does not necessarily mean that Apple's software is the most insecure in practice—the report takes no consideration of the severity of the flaws


[arstechnica.com...]

albo




msg:4175035
 10:16 pm on Jul 22, 2010 (gmt 0)

"Apple ...the company with the most security with the most security vulnerabilities in its software... Though this does not mean [its] software is the most insecure in practice."

I worked for a state government bureaucracy for 30 years. This wording sounds like something straight out of a memo written by a middle-management paper-pusher.

tedster




msg:4175037
 10:21 pm on Jul 22, 2010 (gmt 0)

I'm more troubled by a month-plus with no action than the vulnerability itself. When someone finds a security hole and is honorable enough to tell you in private, you don't shove them to the curb.

To me, that smells like a corporate culture problem at Apple. The company is high on its recent success and is forgetting some of the business basics.

Demaestro




msg:4175058
 11:02 pm on Jul 22, 2010 (gmt 0)

Though this does not mean [its] software is the most insecure in practice.

I worked for a state government bureaucracy for 30 years. This wording sounds like something straight out of a memo written by a middle-management paper-pusher.



lol totally, but I am sure you know they just mean that having the most vulnerabilities doesn't make you the most insecure.

For example you could have 100 vulnerabilities that all give access to your browser history in Safari. (not real)

Compare that to only 1 vulnerability that gives your access to your stored passwords in Chrome (not real)

1 would be more insecure, 1 would have more vulnerabilities.

BillyS




msg:4175294
 12:07 pm on Jul 23, 2010 (gmt 0)

I think these recent trends demonstrate how difficult it is to write code. As Apple continues to get pushed into the spotlight, this is going to happen. It's also going to hurt the perception that Apple is head and shoulders above everyone else.

oodlum




msg:4175327
 1:00 pm on Jul 23, 2010 (gmt 0)

incrediBILL must be asleep.

Propools




msg:4175365
 2:45 pm on Jul 23, 2010 (gmt 0)

As a general rule for security, I never allow anything to auto-complete.

So, I guess that would mean that from that standpoint "I'm safe" ?

tedster




msg:4175384
 3:29 pm on Jul 23, 2010 (gmt 0)

No, sorry to say, that's not enough because the visitor doesn't actually see this hack happening on the screen. You've got to turn off the auto-complete function completely. Or better still, don't have any real data available for the browser to use.

This particular stew is getting thicker - there's a similar vulnerability in IE6 and IE7. See IE and Safari lets attackers steal user names and addresses [theregister.co.uk]

In a talk scheduled for next week's Black Hat security conference in Las Vegas, Jeremiah Grossman, CTO of White Hat Security, plans to detail critical weaknesses that are enabled by default in the browsers, which are the four biggest by market share. The vulnerabilities have yet to be purged by the respective browser makers despite months, and in some cases, years of notice.

Sgt_Kickaxe




msg:4175697
 6:42 am on Jul 24, 2010 (gmt 0)

Not having any data available for the browser is something major search engines like Google don't want, their harvesters are always hungry.

I just wanted to add that it's not as dangerous to have auto-complete on as it is to enter ANY form box information on a site you don't trust. You have no way of knowing if the password or other information you type in is secure afterwards or if a script is copying it.

NEVER use the same login name and password on more than one site.

incrediBILL




msg:4175975
 1:39 am on Jul 25, 2010 (gmt 0)

incrediBILL must be asleep


On a small vacation in Nevada where it was hotter than H3LL!

I think these recent trends demonstrate how difficult it is to write code.


Coding isn't difficult nor is writing secure code.

There is simply a discipline and protocol that needs to be followed to make sure that all the code you write is as secure as possible, requiring coding standards, code review, vulnerability testing, so on and so forth.

I can't say anything about Apple's coding standards because I've never seen them personally, but if they have them, and I assume they do, things like this will point out gaping holes in their standard practices and procedures and they'll plug that hole in the future.

Then again, Microsoft, a much bigger company, continues to produce "secure code" with more holes than Swiss Cheese so don't hold your breath.

BillyS




msg:4176149
 4:49 pm on Jul 25, 2010 (gmt 0)

Coding isn't difficult nor is writing secure code.

There is simply a discipline and protocol that needs to be followed to make sure that all the code you write is as secure as possible, requiring coding standards, code review, vulnerability testing, so on and so forth.


I guess if writing secure code is easy (sorry, my mistake) then you're pointing out that Apple is unwilling to pay for the correct testing of that code or is rushing untested code to market.

That's too bad. This again validates the thought Apple is only concerned about making money - shortcuts are everywhere. Apple seems to be just as guilty as the next guy.

Thanks for clearing this up.

Then again, Microsoft, a much bigger company, continues to produce "secure code" with more holes than Swiss Cheese so don't hold your breath.

You've got that backwards, Apple is bigger than Microsoft. Again, shame on Apple.

incrediBILL




msg:4176199
 6:45 pm on Jul 25, 2010 (gmt 0)

I guess if writing secure code is easy


I said it required rigorous process control to make it happen, which can be relatively easy once it's in place.

However, the minute someone cuts a corner, it falls apart.

You've got that backwards, Apple is bigger than Microsoft. Again, shame on Apple.


I meant bigger in terms of purely software production and Microsoft produces way more software products than Apple.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Browsers / Apple Safari
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved