All posts in Vulnerable

Safari 5.0 AutoFill Feature Could Leave Your Information Vulnerable

Click image to embiggen.

Security researcher Jeremiah Grossman discovered a security vulnerability that could give any website the ability to steal user information from Safari’s AutoFill feature that grabs user information from Address Book on the Mac. Apple countered Grossman by releasing Safari 5.0.1 that supposedly corrected the issue, but Grossman has found another potentially dangerous way to grab user information from Apple’s flagship web browser.

To get the user information, Grossman setup a “game” whereby the user needed to type a “U” to jump. When the user typed the U, the text was placed in the country field, telling Safari to go ahead and automatically fill out the entire form with personal user information, including first name, last name, city, state, email, phone, street, country, and the zip (or postal) code.

“To perform our attack requires tiny bit of end-user trickery. Two button presses to be precise. A malicious website detects (ie: IP address) the country the victim is from. For our purposes here we’ll assume the “US.” The attacker invisibly (CSS transparency) sets up the aforementioned form and forces the keystroke focus into the country element. Notice how this is done in the video on the right side of the screen, which only visible for demonstration purposes. Next the attacker entices the victim to type “U” (first character of “US”) and then press “TAB.” And BAM! That’s it! Data stolen,” says Grossman on his blog.

Grossman also posted a video showing the exploit in progress, which you can find on his post.

Apple has yet to address this potential exploit, but with any vulnerability like this, you can always combat the problem by turning off the affected feature. By disabling the AutoFill feature in Safari, you are essentially killing this hack. You can disable AutoFill by navigating to Safari > Preferences > AutoFill and unchecking the box labeled “Using info from my Address Book card.”

via MacRumors


Follow this article’s author, Cory Bohon on Twitter.




iTunes Accounts May Be Vulnerable To Hackers

It could be nothing, but it certainly might be something: If you make your iTunes applications and media purchases with a credit card or a PayPal account, you’d do well to take a moment and read this story and take a few precautions to ensure your financial well-being.

A number of of users who utilize their credit card or Paypal to purchase goods from the iTunes Store have reported massive unauthorized purchases of software, music and videos using their iTunes Store account. Reports of the amounts taken from the various users differ, with some seeing purchases in the hundreds of dollars, to thousands. One unfortunate individual reported that his entire bank account was drained via PayPal in the name of someone else getting their entertainment and productivity on.

At this point, there is no information available as to how the hackers who have hijacked the accounts had come by the username and password information required to exploit the account holder’s resources. Until a cause–or a solution–to the issue has been announced, we suggest that that if you must make purchases via iTunes, you consider disassociating your Paypal account and credit cards from the service and pay for your transactions through the use of giftcards. While none of the tales of hacked accounts have been confirmed at this point by Apple, in a sunny summer of unfortunate security breaches, this could well be the icing on the cake.