Safari AutoFill flaw opens up Mac OS X address book to hackers

WhiteHat Security said Wednesday that it had found an issue in how Safari's AutoFill feature handles personal information, which could open up the personal information of a web surfer simply by visiting a malicious website.

Using a few lines of code, the hacker would be able to obtain the information without the user even knowing it occurred. The "Using info from my Address Book card" option would need to be checked in AutoFill preferences in order for the hack to work.

There is one positive: AutoFill does not work with fields starting with numbers, meaning street addresses and phone numbers would not be able to be accessed using publicly available code.

It is believed that the flaw resides within the WebKit engine that powers Safari. Grossman tried the exploit code on Google's Chrome browser which also uses the WebKit engine, but was unable to replicate the issue.

WhiteHat founder and CTO Jeremiah Grossman said in a blog post that he had attempted to contact Apple prior to disclosure of the vulnerability twice, but had received no response.

"I have no idea when or if Apple plans to fix the issue, or even if they are aware, but thankfully Safari users only need to disable AutoFill web forms to protect themselves," he mused.

While the flaw is not serious since it only seems to be able to steal a user's name, city, state, country, and e-mail, it still could open up the user to spam. Hackers could use additional techniques to phish further information on the victim if they so desired.