According to White Hat Founder and CTO Jeremiah Grossman, Apple’s Safari web browser has a vulnerability that could allow malicious websites to gain access to any personal information you have in your personal address book on your computer – even if you have never put that data into the websites forms before.

The vulnerability is accessed through the AutoFill feature.

…the entire process takes mere seconds and represents a major breach in online privacy. This attack could be further leveraged in multistage attacks including email spam, (spear) phishing, stalking, and even blackmail if a user is de-anonymized while visiting objectionable online material.

Apparently Jeremiah tried to communicate this privately to Apple over a month ago but the response was less than stellar:

I figured Apple might appreciate a vulnerability disclosure prior to public discussion, which I did on June 17, 2010 complete with technical detail. A gleeful auto-response came shortly after, to which I replied asking if Apple was already aware of the issue. I received no response after that, human or robot. I have no idea when or if Apple plans to fix the issue, or even if they are aware, but thankfully Safari users only need to disable AutoFill web forms to protect themselves.

As you can see at the end of that quote – the fix to protect yourself is very simple – disable AutoFill. 

To do that just go to the Preferences menu and select the AutoFill tab and uncheck all of the boxes indicated below:


Thanks for the heads up Jeremiah.