By Richi Jennings [1]. July 22, 2010.

If you use the Safari web browser, listen up. Your browser may be leaking your private information to any website you visit. Let's take a look, in The Long View [2]...

Jeremiah Grossman, the CTO of WhiteHat Security, has discovered some very bad news for Safari users [3]. Here's his shtick:

Right at the moment a Safari user visits a website, even if they’ve never been there before ... a malicious website can uncover their first name, last name, work place, city, state, and email address. Safari v4 & v5 ... has [this] ... enabled by default.
...
This feature works even though a user never entered this data on any website. ... a malicious website would ... dynamically create form text fields ... probably invisibly, and then simulate ... keystroke events using JavaScript. When data is ... AutoFill’ed, it can be accessed and sent to the attacker. ... The entire process takes mere seconds.

What's going on here? Form data can be auto-suggested in Safari, just like in other browsers. However, the data doesn't usually get entered into the form unless the user actually selects the suggested input from the drop-down list. But in Safari, the suggestions are programmatically available.

So what? Data entered into a form field is accessible to JavaScript running on the page. A script could cycle through the alphabet, attempting the initial letters of form entries, looking for an auto-suggest match to appear.

What makes this worse is that there are special field identifiers in Safari that automatically match on the current user's own address book entry. And anyone who knows a little about CSS and JavaScript will know that a form need not even be visible.

Why is this a problem? A malicious site could publish a form that grabbed the user's details, including name and email address. It could steal the data without giving any indication that the user's privacy had been compromised.

And it's not just malicious sites we should worry about, but also sites that get hacked into to add the malicious code, or even an iframe from arogue advertiser.

The potential for spam and phishing is huge. A determined attacker might even be able to steal previously-entered customer data. And I'm sure you can imagine the scope for blackmail if the site contained... umm... unsavory content.

What to do? Ben Godfrey has this succinct advice:

[4]

Or, ditch Safari and switch to Chrome or Firefox?

Oh, wait: Dan Goodin says [5] that Grossman plans to soon reveal other "critical weaknesses" in Internet Explorer, Firefox, and Chrome. He's got a talk scheduled next week [6] at Black Hat USA 2010 in Vegas, so watch this space...

 
Will you switch from Safari? Leave a comment below...
 

[7]

Richi Jennings [8] is an independent analyst/consultant, specializing in blogging, email, and security. A cross-functional IT geek since 1985, you can follow him as @richi [9] on Twitter, pretend to be richij [10]'s friend on Facebook, or just use good old email: TLV@richij.com [11].

You can also read Richi's full profile and disclosure [12] of his industry affiliations.