Apple Dodges Black Hat Bullet With Safari Security Hole Fix


Apple sidestepped a possible security brouhaha Wednesday by plugging a hole in its Safari web browser just a day before the vulnerability was scheduled to be exposed in a public briefing at the Black Hat security conference.

Jeremiah Grossman, CTO of WhiteHat Security, a provider of website risk management solutions, was slated to shine the spotlight on the Apple Safari security vulnerability in a Black Hat presentation on Thursday titled "Breaking Browsers: Hacking Auto-Complete.”

The Safari vulnerability is related to how the browser autofills forms with a user's name and personal information.

Grossman had outed Safari in a blog post last week titled: "I Know Your Name, Where You Work, And Live, (Safari v4 & v5)."

"Right at the moment a Safari user visits a website, even if they’ve never been there before or entered any personal information, a malicious website can uncover their first name, last name, work place, city, state, and email address," wrote Grossman.

That left 83 million Safari users at risk, according to Grossman, because of the AutoFill web forms functionality in Safari versions 4 and 5.

"All a malicious website would have to do to surreptitiously extract Address Book card data from Safari is dynamically create form text fields with the aforementioned names, probably invisibly, and then simulate A-Z keystroke events using JavaScript," wrote Grossman. "When data is populated, that is AutoFill’ed, it can be accessed and sent to the attacker."

In his blog post, Grossman said he went public with the flaw after he reported the security vulnerability to Apple. Grossman said he included the technical details when he reported the security hole to Apple on June 17, yet only received a "gleeful auto response."

Grossman followed up again with a reply asking if Apple was already aware of the vulnerability.

"I received no response after that, human or robot," wrote Grossman in the July 21 blog post. "I have no idea when or if Apple plans to fix the issue, or even if they are aware, but thankfully Safari users only need to disable AutoFill web forms to protect themselves."

Apple formally put the matter to rest on Wednesday morning by releasing Apple Safari 5.0.1.