
I know your name, where you work, and live (Safari v4 & v5)  - tptacek
http://jeremiahgrossman.blogspot.com/2010/07/i-know-who-your-name-where-you-work-and.html
======
tptacek
(Title _sic_ ).

Short summary: Safari autocompletes forms from your private address book, and
can be tricked into doing that by Javascript events on form fields named in
ways Safari would want to autocomplete; worse, once autocompleted, that data
can be read out of the form by the same JS that triggered the event.

Long story short, if you browse to a site with Safari and you have
autocomplete on, that site can slurp some stuff out of your address book.

~~~
jvdh

        that site can slurp some stuff out of your address book.
    

More specifically, it can slurp some stuff from your personal address card
that you've set in AddressBook.app This hack does not allow you to get the
address of someone's mother-in-law.

~~~
jonknee
> This hack does not allow you to get the address of someone's mother-in-law.

Unless you're the mother-in-law :).

------
macrael
What do other browsers do differently to prevent this from being a problem?

~~~
tuxychandru
They do not use your system's address book to fill forms online.

~~~
macrael
Doesn't firefox autofill forms? I didn't realize that was a safari only
feature.

~~~
natmaster
Autocomplete by other browsers works by remembering things you entered in
forms previously (maybe restricted to domain?). One distinction is that you
already decided you wanted to expose that information.

The most important distinction though, is that you have to still select to
fill that out manually.

Of course logins are another story - those are automatically filled in. But
those are restricted to the page you already entered them on, and you have to
decide you want that information filled explicitly.

~~~
loewenskind
Couldn't you still use a variation of this hack to steal the info from
Firefox?

Steps:

1\. Go to a popular site that makes one fill out the information you want to
steal.

2\. Record the name they use for all their fields (afaik this is how FF
determines what value to supply)

3\. Use the hack to make a form with those fields

4\. Profit

On step 3, it may be that you have to enter the field and type something to
get the auto-complete to kick in, but that's easy: you only need to try 26
letters and 10 numbers to get a hit.

~~~
natmaster
Autocomplete is activated by user interaction, not javascript events. The only
way to trigger this would be a phishing attack, where you tricked the user
into entering their information in.... but in that case, you're not really
benefiting from autocomplete because they would have given it to you anyway.

~~~
InclinedPlane
Yup. Also worth noting is that this is a proof of concept, a real attack would
likely use non visible form fields and background automatic data transmission.
I think most people would agree that there's a world of difference between a
phishing attack and an automated drive by attack.

------
caf
It occurs to me that the reason it doesn't work for saved information that
begins with a digit is probably to protect CC numbers / CVVs from a similar
attack.

------
roryokane
The demo doesn’t work for me – it can’t detect my information at all. I’m
using Safari Version 5.0 (6533.16), have the red-circled autofill setting
enabled (and no other autofill settings), and have information about myself in
my address book card.

~~~
mike-cardwell
Didn't work for me until I went into the address book, selected my contact and
then clicked "Make this my card". I'm using the same version of Safari as you.

~~~
jsz0
The upside is OSX doesn't make any card your default until you do something
that requires it. Certain things in Mail and iCal will bring up a dialog box
with instructions on how to "Make this my card" (such as creating a meeting
invite in iCal)

------
mishmash
While this exploit sounds like trouble, what's more disconcerting to me is
that in mid-2010 Apple still doesn't have a functioning system in place to
handle responsible disclosure.

~~~
jonknee
Email product-security@apple.com or go the extra mile and encrypt it:
<https://www.apple.com/support/security/pgp/>

~~~
mishmash
Apparently, he did:

> I figured Apple might appreciate a vulnerability disclosure prior to public
> discussion, which I did on June 17, 2010 complete with technical detail. A
> gleeful auto-response came shortly after, to which I replied asking if Apple
> was already aware of the issue. I received no response after that, human or
> robot.

~~~
KirinDave
Yeah. And he waited just over a month. Which is not very long, compared to
other similar vendors.

I suspect that Apple doesn't have a lot of goodwill in the security community
these days. For better or worse, they're viewed as indifferent on the subject
of security.

------
retube
> These fields are AutoFill’ed using data from the users personal record in
> the local operating system address book.

Sorry, maybe a stupid question, but can someone explain this? I had no idea my
OS had an address book. Why does it have this? If it does, how do I put stuff
in it? Or delete stuff in it? Is this just on mac, or windows and linux too?

~~~
roryokane
On Mac, there is an application called Address Book in the Applications
folder. It comes with the OS so as to allow apps to integrate with it. Such
apps include Safari, as we have seen, and Mail (the email program). Adding and
editing contacts should be obvious from the interface – click a + at the
bottom to add a new contact or contact group. I don’t know if Windows or Linux
have address books.

------
loewenskind
Since this is a problem in the JS handling (as mention in another comment in
this thread, Safari isn't differentiating between keyboard entries that were
generated from JS from ones that actually came from a keyboard), that's
probably in Webkit itself and therefor fixable by the community, no?

~~~
bruceboughton
That doesn't help with an actual Safari release though, does it?

~~~
loewenskind
If the code is accepted it would, and likely faster than sitting on our hands
hoping that Apple will care about this.

------
izendejas
This reminded me of Gator and their disingenuous practices.
<http://en.wikipedia.org/wiki/Claria_Corporation>

~~~
GFischer
Argh... my mother used eWallet to store her credit card info... I deleted it
as adware and she was extremely upset.

------
cubicle67
completely unrelated - didtrade <http://news.ycombinator.com/user?id=didtrade>
has been spamming HN for 21 days now, but they're still not banned?

~~~
bkrausz
I was trying to think of how to ask that myself. I guess just auto-deleting
whatever they post (if that's actually what's happening) is better than
banning them, since a ban would alert them and they can just make a new
account. This lets them continue spamming nobody (except showdead folk).

------
mike-cardwell
Has anyone actually confirmed this works yet? It doesn't look like it to me...

~~~
mike-cardwell
Scratch that. I had to go into my address book, select my contact and then
click "Make this my card". Then the exploit worked.

------
orph
TL;DR. I use Chrome these days.

------
SeriousGuy
Wow Ilove this stuf, I can already see Apple apologist lining up to show how
this is "Just Works" or "magical Design" and how Chrome is evil since google
is transffering data over their seceret wi-fi internet which fills the whole
world.

I also see an idiot commenting about his mother in law, sadly theses people
never understand concerns for privacy.

------
SeriousGuy
Wow Ilove this stuf, I can already see Apple apologist lining up to show how
this is "Just Works" or "magical Design" and how Chrome is evil since google
is transffering data over their seceret wi-fi internet which fills the whole
world.

I also see an idiot commenting about his mother in law, sadly theses people
never understand concerns for privacy since being apple fanboi they already
have hardly anything to hide.

