(Title sic).

Short summary: Safari autocompletes forms from your private address book, and can be tricked into doing that by Javascript events on form fields named in ways Safari would want to autocomplete; worse, once autocompleted, that data can be read out of the form by the same JS that triggered the event.

Long story short, if you browse to a site with Safari and you have autocomplete on, that site can slurp some stuff out of your address book.

    that site can slurp some stuff out of your address book.

More specifically, it can slurp some stuff from your personal address card that you've set in AddressBook.app This hack does not allow you to get the address of someone's mother-in-law.

> This hack does not allow you to get the address of someone's mother-in-law.

Unless you're the mother-in-law :).

What do other browsers do differently to prevent this from being a problem?

I don't have Safari to test, but it looks like it does two things differently to other browsers. The first has been mentioned — slurping data from the local address book and feeding it to any site.

The second I can't test, but looking at the screenshot, it appears that Safari actually fills in the text field with the contents of the auto-fill, before you actually choose that auto-fill, and it highlights that text so typing something overwrites it, which is a standard way of doing autofill. However, using script to ask the textbox for its contents then exposes sensitive data. In contrast, other browsers display the sensitive data in (inaccessible to script) browser chrome, so no data is exposed.

  Safari:    R|*obin Message* (in the textbox itself)
  Firefox:   R|
             Robin Message (in a popup, push down to get to it)

They do not use your system's address book to fill forms online.

Er, the problem seems to be more that Javascript-initiated keyboard events can trigger AutoComplete. Only KB events from the system should be allowed to do that.

Understand that it's fetching the data from the system's address book, but obviously this is going to be the same data it would remember if you entered it elsewhere. Keep in mind that this is a feature of Safari being exploited, it's not like this is an vulnerability in the address book gives you unlimited access to all the user's contacts.

Doesn't firefox autofill forms? I didn't realize that was a safari only feature.

Autocomplete by other browsers works by remembering things you entered in forms previously (maybe restricted to domain?). One distinction is that you already decided you wanted to expose that information.

The most important distinction though, is that you have to still select to fill that out manually.

Of course logins are another story - those are automatically filled in. But those are restricted to the page you already entered them on, and you have to decide you want that information filled explicitly.

Couldn't you still use a variation of this hack to steal the info from Firefox?

Steps:

1. Go to a popular site that makes one fill out the information you want to steal.

2. Record the name they use for all their fields (afaik this is how FF determines what value to supply)

3. Use the hack to make a form with those fields

4. Profit

On step 3, it may be that you have to enter the field and type something to get the auto-complete to kick in, but that's easy: you only need to try 26 letters and 10 numbers to get a hit.

Autocomplete is activated by user interaction, not javascript events. The only way to trigger this would be a phishing attack, where you tricked the user into entering their information in.... but in that case, you're not really benefiting from autocomplete because they would have given it to you anyway.

Yup. Also worth noting is that this is a proof of concept, a real attack would likely use non visible form fields and background automatic data transmission. I think most people would agree that there's a world of difference between a phishing attack and an automated drive by attack.

Step 3.5: Get the user to activate auto-complete (start typing, or just arrow-down) and select an item from the list on each field.

If you're right, the test page should work in FF. You could try it.

Step 1 and 2 aren't required - the field names are 'standard'.

Step 3 is what the test page does already.

Edit: It looks like the javascript used to generate keypresses isn't supported by Firefox:

https://developer.mozilla.org/en/DOM/document.createEvent

    var event = document.createEvent('TextEvent');
    event.initTextEvent('textInput', true, true, null, char);

    input.value = "";
    input.selectionStart = 0;
    input.selectionEnd = 0;
    input.focus();
    input.dispatchEvent(event);

Firefox fills forms out with data you've supplied by hand already I think.

Quoting the parent (emphasis mine):

They do not use your system's address book to fill forms online.

My first Firefox security bug report (five years before I became a Mozilla employee!) was for a somewhat similar issue where pages could read form autofill data that wasn't explicitly entered by the user. Even before that vulnerability was fixed, it required significantly more user interaction than this Safari exploit. Normally Firefox will not make autofill data accessible to scripts except in response to user interaction.

Details here: http://www.advogato.org/person/mbrubeck/diary/92.html

I have only tested this with Chrome, but what I see is that Chrome does not autocomplete the form field (i.e. insert your name/etc into the text field). In Chrome, the decision to add previously-entered text into the field is left to the user, through selection from a dropdown that Chrome displays below the text field. Presumably Safari just sticks the text in the field as soon as the prefix added to the field using fake keypresses matches up with your addressbook info.

I havent used the autofill feature (have never trusted it), but in Chrome apparently it is site-specific, and requires user intervention for it to work. I'd be interested in how FF handles it.

It occurs to me that the reason it doesn't work for saved information that begins with a digit is probably to protect CC numbers / CVVs from a similar attack.

The demo doesn’t work for me – it can’t detect my information at all. I’m using Safari Version 5.0 (6533.16), have the red-circled autofill setting enabled (and no other autofill settings), and have information about myself in my address book card.

Didn't work for me until I went into the address book, selected my contact and then clicked "Make this my card". I'm using the same version of Safari as you.

The upside is OSX doesn't make any card your default until you do something that requires it. Certain things in Mail and iCal will bring up a dialog box with instructions on how to "Make this my card" (such as creating a meeting invite in iCal)

While this exploit sounds like trouble, what's more disconcerting to me is that in mid-2010 Apple still doesn't have a functioning system in place to handle responsible disclosure.

Email product-security@apple.com or go the extra mile and encrypt it: https://www.apple.com/support/security/pgp/

Apparently, he did:

> I figured Apple might appreciate a vulnerability disclosure prior to public discussion, which I did on June 17, 2010 complete with technical detail. A gleeful auto-response came shortly after, to which I replied asking if Apple was already aware of the issue. I received no response after that, human or robot.

Yeah. And he waited just over a month. Which is not very long, compared to other similar vendors.

I suspect that Apple doesn't have a lot of goodwill in the security community these days. For better or worse, they're viewed as indifferent on the subject of security.

That's not fair; hundreds of people report vulnerabilities to Apple every year. We've done it, many times. They're not lightning fast, but they aren't blowing people off either.

You might be right. I should have written "a fail proof" system instead.

And really, I don't think it's that unreasonable to expect a fail proof level of response on security vulnerabilities from the world's most valuable computer company.

Let me tell you from long and painful personal experience that nobody in the industry has a "fail proof level of response", including Microsoft, which has outspent the rest of the industry combined by a significant multiple.

Your expectations are unrealistic.

The biggest problem this whole industry has right now is that it is excruciatingly hard to find talent. Nobody has enough people. Everyone, from Google through MSFT through Adobe though Apple through Cisco &c &c &c, is screwing things up because of it.

> Your expectations are unrealistic.

Wait, what? You think it's unrealistic to expect every security-related bug filed to get some kind of a human follow up within 30+ days?? And this from a company that made over one BILLION in profit during that same time frame?

Uh, no.

The lead-up to your quoted phrase is it is excruciatingly hard to find talent describes why this is the case.

Are you suggesting there's some kind of shortage of people who can check an email/database and reply:

"Hello this x, with Apple's Product Security team. We've received your report and have assigned it #123456. We will begin investigating soon. Thanks"

I think you should find a security bug in any Apple product and report it before you make representations as to how they handle stuff like this. It's not that hard.

Wow your third reply to me ever is an ad hominem? Classic.

And you should probably be more careful in what you wish for because I actually have reported security vulnerabilities to Apple before. And in one case, I waited even longer than a month for a reply (rdar://3775607).

Did you still have a point to make?

Yes: that I don't believe Apple is actually sitting on security bugs and not telling researchers they've received them, based on our own experience reporting bugs to them.

I don't know how or what you reported or what channel you used to report it. It's possible that Apple makes this reporting process overly confusing. But I simply don't buy that other large vendors are significantly better at reporting progress than Apple. The MSRC takes flak all the time for how they handle reports, Adobe gets more flak than even Apple does, and I think your expectations are unrealistic.

In all cases, the process is, report bug, get pro-forma response, wait forever. Hence NMFB, hence "rebooting responsible disclosure".

If you reported a obviously bad flaw to Apple using product-security@, and they never fixed it or fixed it without crediting you on the credits page they've maintained for something like 5 years now, I apologize for making the assumption that someone saying the things you're saying has never reported a security vulnerability to Apple.

It's great that you don't believe or "buy" that other corporations are better at handling disclosure than Apple, that Apple is maliciously sitting on bug reports, etc., because no one in this thread ever implied that.

Let me try to clear up my point of frustration with the whole untimely response thing.

A quick search reveals that MSRC (which you cited) receives something like 300 emails a day. I could easily be wrong, but let's assume Apple's volume is close to this number as well.

So that's 300 divided by 8 hours a day or about 40 messages an hour. Using my earlier example of a human simply replying with his/her name/contact, and a tracking number, we'll be generous and say it takes a half hour to do this, that's 16 messages processed by a single tier-1 security support staff in one day.

If we now divide 40/received/hour by 16/processed/day we get that APS would need to add roughly 18 additional team members to handle a reporting volume equal to that of Microsoft.

Not from the valley, but it looks like tech support make around $50K a year out there, which we would multiply by the additional staff for: $50k * 18 = $900,000/year.

According to the conference call this week, Apple makes over $32,000,000 in _profit per day_.

Essentially, if Apple wanted to greatly improve their image and contact with outside researchers, they could take 0.03% of a single day's profit, and provide every person that submits a bug a with an immediate human contact and tracking number.

Hell if even if float these numbers up by several magnitudes, does it really sound like too much to ask?

edit: mathfail, but bottom line is still valid /done ;)

This is a thoughtful response and I have no snippy response to it, other than to point out that companies have tried hurling money at this problem and appear to be bottlenecked at "finding enough software security people to get the job done".

And, like I said, I think they're significantly better at responding to reports than the picture you're painting. We may be talking past each other, but: having an actual human write back and say "thanks, you're secrdar://484799" might not actually make things any better than they already are.

The fact is that large companies haven't figured out how to ship security fixes, and so security fixes are ending up getting triaged alongside all other classes of product flaws. And that isn't working.

> These fields are AutoFill’ed using data from the users personal record in the local operating system address book.

Sorry, maybe a stupid question, but can someone explain this? I had no idea my OS had an address book. Why does it have this? If it does, how do I put stuff in it? Or delete stuff in it? Is this just on mac, or windows and linux too?

On Mac, there is an application called Address Book in the Applications folder. It comes with the OS so as to allow apps to integrate with it. Such apps include Safari, as we have seen, and Mail (the email program). Adding and editing contacts should be obvious from the interface – click a + at the bottom to add a new contact or contact group. I don’t know if Windows or Linux have address books.

I'm quite sure that Windows has a system-wide address book service managed by the Address Book application as well, or at least does in recent versions.

Since this is a problem in the JS handling (as mention in another comment in this thread, Safari isn't differentiating between keyboard entries that were generated from JS from ones that actually came from a keyboard), that's probably in Webkit itself and therefor fixable by the community, no?

That doesn't help with an actual Safari release though, does it?

If the code is accepted it would, and likely faster than sitting on our hands hoping that Apple will care about this.

This reminded me of Gator and their disingenuous practices. http://en.wikipedia.org/wiki/Claria_Corporation

Argh... my mother used eWallet to store her credit card info... I deleted it as adware and she was extremely upset.

completely unrelated - didtrade http://news.ycombinator.com/user?id=didtrade has been spamming HN for 21 days now, but they're still not banned?

All his posts appear "dead" to me. That's how most HN bans work.

I was trying to think of how to ask that myself. I guess just auto-deleting whatever they post (if that's actually what's happening) is better than banning them, since a ban would alert them and they can just make a new account. This lets them continue spamming nobody (except showdead folk).

Has anyone actually confirmed this works yet? It doesn't look like it to me...

Scratch that. I had to go into my address book, select my contact and then click "Make this my card". Then the exploit worked.