The original credit for reporting this should go to Jeremiah Grossman [jeremiahgrossman.blogspot.com]

It seems that a malicious website can uncover a Safari user's name, work place, city, state, and email address by hacking the auto-complete function.

And for the record, he did the honorable thing and let Apple know last month - before going public this month.

I figured Apple might appreciate a vulnerability disclosure prior to public discussion, which I did on June 17, 2010 complete with technical detail. A gleeful auto-response came shortly after, to which I replied asking if Apple was already aware of the issue. I received no response after that, human or robot.

According to Ars and Secunia Apple has just .....

displaced Oracle as the company with the most security vulnerabilities in its software

....


Though this does not necessarily mean that Apple's software is the most insecure in practice—the report takes no consideration of the severity of the flaws

[arstechnica.com...]

"Apple ...the company with the most security with the most security vulnerabilities in its software... Though this does not mean [its] software is the most insecure in practice."

I worked for a state government bureaucracy for 30 years. This wording sounds like something straight out of a memo written by a middle-management paper-pusher.

I'm more troubled by a month-plus with no action than the vulnerability itself. When someone finds a security hole and is honorable enough to tell you in private, you don't shove them to the curb.

To me, that smells like a corporate culture problem at Apple. The company is high on its recent success and is forgetting some of the business basics.

Though this does not mean [its] software is the most insecure in practice.

I worked for a state government bureaucracy for 30 years. This wording sounds like something straight out of a memo written by a middle-management paper-pusher.

lol totally, but I am sure you know they just mean that having the most vulnerabilities doesn't make you the most insecure.

For example you could have 100 vulnerabilities that all give access to your browser history in Safari. (not real)

Compare that to only 1 vulnerability that gives your access to your stored passwords in Chrome (not real)

1 would be more insecure, 1 would have more vulnerabilities.

I think these recent trends demonstrate how difficult it is to write code. As Apple continues to get pushed into the spotlight, this is going to happen. It's also going to hurt the perception that Apple is head and shoulders above everyone else.

incrediBILL must be asleep.

As a general rule for security, I never allow anything to auto-complete.

So, I guess that would mean that from that standpoint "I'm safe" ?

No, sorry to say, that's not enough because the visitor doesn't actually see this hack happening on the screen. You've got to turn off the auto-complete function completely. Or better still, don't have any real data available for the browser to use.

This particular stew is getting thicker - there's a similar vulnerability in IE6 and IE7. See IE and Safari lets attackers steal user names and addresses [theregister.co.uk]

In a talk scheduled for next week's Black Hat security conference in Las Vegas, Jeremiah Grossman, CTO of White Hat Security, plans to detail critical weaknesses that are enabled by default in the browsers, which are the four biggest by market share. The vulnerabilities have yet to be purged by the respective browser makers despite months, and in some cases, years of notice.

Not having any data available for the browser is something major search engines like Google don't want, their harvesters are always hungry.

I just wanted to add that it's not as dangerous to have auto-complete on as it is to enter ANY form box information on a site you don't trust. You have no way of knowing if the password or other information you type in is secure afterwards or if a script is copying it.

NEVER use the same login name and password on more than one site.

incrediBILL must be asleep

On a small vacation in Nevada where it was hotter than H3LL!

I think these recent trends demonstrate how difficult it is to write code.

Coding isn't difficult nor is writing secure code.

There is simply a discipline and protocol that needs to be followed to make sure that all the code you write is as secure as possible, requiring coding standards, code review, vulnerability testing, so on and so forth.

I can't say anything about Apple's coding standards because I've never seen them personally, but if they have them, and I assume they do, things like this will point out gaping holes in their standard practices and procedures and they'll plug that hole in the future.

Then again, Microsoft, a much bigger company, continues to produce "secure code" with more holes than Swiss Cheese so don't hold your breath.

Coding isn't difficult nor is writing secure code.

There is simply a discipline and protocol that needs to be followed to make sure that all the code you write is as secure as possible, requiring coding standards, code review, vulnerability testing, so on and so forth.

I guess if writing secure code is easy (sorry, my mistake) then you're pointing out that Apple is unwilling to pay for the correct testing of that code or is rushing untested code to market.

That's too bad. This again validates the thought Apple is only concerned about making money - shortcuts are everywhere. Apple seems to be just as guilty as the next guy.

Thanks for clearing this up.

Then again, Microsoft, a much bigger company, continues to produce "secure code" with more holes than Swiss Cheese so don't hold your breath.

You've got that backwards, Apple is bigger than Microsoft. Again, shame on Apple.

I guess if writing secure code is easy

I said it required rigorous process control to make it happen, which can be relatively easy once it's in place.

However, the minute someone cuts a corner, it falls apart.

You've got that backwards, Apple is bigger than Microsoft. Again, shame on Apple.

I meant bigger in terms of purely software production and Microsoft produces way more software products than Apple.