Safari Privacy Bug May Be Leaking Your Data

← Back to Stories (view on slashdot.org)

Safari Privacy Bug May Be Leaking Your Data

Posted by timothy on Thursday July 22, 2010 @09:18AM from the problem-with-software-is-that-it-sucks dept.

richi writes "If you use Safari, your browser may be leaking your private information to any website you visit. Jeremiah Grossman, the CTO of WhiteHat Security, has discovered some Very Bad News. I have some analysis and other reactions over at my Computerworld blog. The potential for spam and phishing is huge. A determined attacker might even be able to steal previously-entered customer data." In short, autofill for Web forms is enabled by default in Safari 4 / 5 (and remotely exploitable), and the data that this feature has access to includes the user's local address book — even if the information has never been entered into a Web form.

152 comments

But not Firefox... by alain94040 · 2010-07-22 09:19 · Score: 5, Insightful

It seems that the bug is due to Safari allowing keyboard events to be generated from Javascript, so a malicious script can pretend to interact as if it were the user, whereas Firefox doesn't get fooled.
--
The Founder Conference is coming August 17
1. Re:But not Firefox... by Anonymous Coward · 2010-07-22 20:24 · Score: 0
  
  I use the Lynx browser, you insensitive clod!
So..'many eyes make bugs shallow'? by RLiegh · 2010-07-22 09:21 · Score: 1, Interesting

If that old canard is so true, than I have to wonder why it is that their are so many security-related issues with F/OSS browsers that go unchecked for so long? While IE was justifibly a laughing stock nowadays webkit and firefox are barely much better -despite the 'many eyes' theory.
Could it be that the job is simply to complex for most non-professionals and that the open source model has reached the end of it's useful life?
1. Re:So..'many eyes make bugs shallow'? by bunratty · 2010-07-22 09:30 · Score: 5, Insightful
  
  It could be that more of the vulnerabilities are being found in open source browsers than in closed source browsers. In other words, closed source browsers may have many more undiscovered security problems. IE still has security vulnerabilities they're not fixing, both ones that are publicly known and ones that only Microsoft and a few others know about. Chrome and Firefox have no publicly known security vulnerabilities today.
  
  --
  What a fool believes, he sees, no wise man has the power to reason away.
2. Re:So..'many eyes make bugs shallow'? by Anonymous Coward · 2010-07-22 09:39 · Score: 1, Interesting
  
  Isn't this a bug in Safari, not Webkit? As such, it's Apple's responsibility, not the F/OSS community's.
3. Re:So..'many eyes make bugs shallow'? by maxume · 2010-07-22 09:40 · Score: 1
  
  Your post would make sense if the majority of the work done on Webkit and Firefox was not done by professionals.
  
  --
  Nerd rage is the funniest rage.
4. Re:So..'many eyes make bugs shallow'? by phantomfive · 2010-07-22 09:43 · Score: 2, Insightful
  
  Browsers are about the most complex piece of software you will find anywhere. Think about all they can do. They have a not just one page rendering algorithm, several different types. Different modes mean different things, and W3 lists over 20 different modes.
  
  Then they have the networking part, that communicates to servers, opening several sockets at a time and coordinating their retrieval. And they have to be able to do it with HTTP1.0 or HTTP2.0. And they have to be able to handle weird HTTP things, like password authentication.
  
  After that, they have to be able to parse at least three different image types (and image parsing libraries are a great place to look for vulnerabilities because they are complex and the data is hard to validate). And they have to be able to interact with the OS in some way to allow movie and audio playing. And flash. And Java Applets. And any other weird plugin.
  
  Then add to it a complex, object oriented, interpreted language (as if the several versions of HTML weren't bad enough), and the fact that the entire page has to be dynamic. Quickly dynamic: people want to do animations with this stuff, it has to happen in milliseconds.
  
  And a spell checker. Oh, and it has to be able to interact with and recognize tons of different character encodings. In short, if I had a choice between writing a kernel and guaranteeing that it was vulnerability-free, and writing a browser and guaranteeing it was vulnerability-free, I would take the kernel any day. It's a significantly easier piece of software.
  
  So there are still bugs in IE too, don't worry.
  
  --
  Qxe4
5. Re:So..'many eyes make bugs shallow'? by natehoy · 2010-07-22 09:46 · Score: 4, Insightful
  
  Umm... WHAT? Sorry to burst your conceit bubble there, Sparky, but... "Many eyes make bugs shallow" does not apply to Safari, because Safari is not open source software.
  Webkit (the open source rendering engine that Safari uses) is not vulnerable. Chrome and Chromium (also built on Webkit) are also not vulnerable. Webkit is fine, at least in regards to this vulnerability.
  Safari (the closed-source browser built on Webkit) is vulnerable.
  This is a closed-source software bug that has been reported to the vendor.
  I don't disagree that all software has bugs. That's going to be true. But this is an example of the opposite.
  
  --
  "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
6. Re:So..'many eyes make bugs shallow'? by natehoy · 2010-07-22 09:49 · Score: 4, Insightful
  
  Actually, this is a perfect example of it.
  The vulnerability is in closed-source software, because Safari is closed-source. The vulnerability does not exist in Webkit (the open source component of Safari), so no one but Apple can fix this issue.
  The issue was discovered almost by accident. Safari allows Javascript to emulate keypresses (which is almost inconceivably stupid).
  If any respectable open source team member had seen Javascript events being passed to the keyboard buffer, he or she would have screamed blue bloody murder and it would have become a priority one bug faster than you can say "the developer who wrote that shit has just lost code submission privileges on this project".
  
  --
  "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
7. Re:So..'many eyes make bugs shallow'? by pclminion · 2010-07-22 09:52 · Score: 2, Insightful
  
  In short, if I had a choice between writing a kernel and guaranteeing that it was vulnerability-free, and writing a browser and guaranteeing it was vulnerability-free, I would take the kernel any day. It's a significantly easier piece of software.
  The kernel (let's use Linux as an example) is significantly higher quality, not because it is a simpler piece of code but because it is written by people who aren't morons and actually care about robustness. A web browser has a lot of spec cruft to contend with, but that's peanuts -- a kernel has to contend with anything that could possibly occur on the machine, in any order, simultaneously or not, by any user, using any device, with any amount of memory, any number of CPUs, and any unknown modifications, modules, or other tweaks that might be in place. Comparing the two types of software is insane.
8. Re:So..'many eyes make bugs shallow'? by Anonymous Coward · 2010-07-22 09:54 · Score: 0
  
  I can see your upset, but I have to ask...
9. Re:So..'many eyes make bugs shallow'? by Anonymous Coward · 2010-07-22 09:56 · Score: 0
  
  HTTP2.0 uhhh WAT?
10. Re:So..'many eyes make bugs shallow'? by natehoy · 2010-07-22 10:06 · Score: 1
  
  Not mad, just making a point. ;)
  
  --
  "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
11. Re:So..'many eyes make bugs shallow'? by think_nix · 2010-07-22 10:13 · Score: 1
  
  After that, they have to be able to parse at least three different image types (and image parsing libraries are a great place to look for vulnerabilities because they are complex and the data is hard to validate). And they have to be able to interact with the OS in some way to allow movie and audio playing. And flash. And Java Applets. And any other weird plugin.
  says who ? why does this level of interaction have to deal with the os level ? WTF ? Why do application layer programs have to crash the whole box . please tell me why ?
12. Re:So..'many eyes make bugs shallow'? by phantomfive · 2010-07-22 10:18 · Score: 1
  
  The thing is, we have decades of experience knowing how to deal with all that; not only that, there have been books written, classes taught, and academic discussions about the best way to do it, and the best way to organize it, and the basic structure isn't going to change much. All those problems you mentioned are serious problems, it's true, but they've been solved, and you can learn about the various solutions in an undergraduate class and choose the one you want. A single person can write a basic kernel in a few months (although you'll have a lot of work adding drivers, but it's typically easier to avoid a security flaw in a driver than in a network-facing piece of code).
  
  But you can't take a class about browser construction. The theory isn't really settled. It's entering uncharted territory. The problems may not be as complex, but you have to solve them yourself (and some of the problems are quite complex: the parser for a page of HTML must be a beast). It's harder to know what potential problems you may face in the future.
  
  That's why I say I'd rather guarantee the security level of a kernel, because I know how to do it, and I know what problems I may face. Who would have thought of a cross-site-scripting bug? Are there other similar classes of bugs that haven't been discovered yet, that all browsers are vulnerable to? It's a lot less likely that you'd find a class of bug that hasn't been discovered yet for a kernel.
  
  --
  Qxe4
13. Re:So..'many eyes make bugs shallow'? by phantomfive · 2010-07-22 10:21 · Score: 1
  
  You sir, are dumb. Please go educate yourself. And at least try to understand what you read before responding.
  
  --
  Qxe4
14. Re:So..'many eyes make bugs shallow'? by Anonymous Coward · 2010-07-22 10:28 · Score: 0
  
  That's nothing. Safari is the leading browser for support of HTTP 5.0.
15. Re:So..'many eyes make bugs shallow'? by ToasterMonkey · 2010-07-22 10:36 · Score: 4, Insightful
  
  If any respectable open source team member had seen Javascript events being passed to the keyboard buffer, he or she would have screamed blue bloody murder and it would have become a priority one bug faster than you can say "the developer who wrote that shit has just lost code submission privileges on this project".
  I'm not buying your assertion that open source developers are more attentive or more dedicated than non-open source developers. What is the rationale for that?
  Other than defining the QA process to be whatever you want and being your own QA team, what advantages does a project being open source confer in this regard? Some outsider can swoop in and patch your critical security vulnerabilities for you, with tests, and no new bugs? Your users can fix bugs on their own, maintaining private one-off branches?
  Not to dig on open source or anything, but I think it's usefulness is being pushed a BIT too far sometimes. There are certainly places it shines, but this is not one of them.
16. Re:So..'many eyes make bugs shallow'? by bit9 · 2010-07-22 10:49 · Score: 2, Insightful
  
  Browsers are about the most complex piece of software you will find anywhere.
  I don't disagree with your main point that web browsers are very complex. However, the above quote is pure hyperbole. There are many types of software that make web browsers look like child's play. Among them, I would say, are avionics software, flight software for satellites, etc. Those are just a couple examples - I'm sure there are quite a few others.
17. Re:So..'many eyes make bugs shallow'? by ewanm89 · 2010-07-22 10:54 · Score: 2, Insightful
  
  the Q/A being in the open anyone can go file and read through the bug reports, and if anyone actually didn't assign such a bug as priority one, then the whole project would be ridiculed, probably here and in many other places.
18. Re:So..'many eyes make bugs shallow'? by jc42 · 2010-07-22 10:58 · Score: 2, Insightful
  
  Your post [about F/OSS software being safer due to the "many eyes" phenomenon] would make sense if the majority of the work done on Webkit and Firefox was not done by professionals.
  I don't think any definition I've seen of Free/Open Software includes anything at all about the professional status of the programmers.
  In fact, much of the work on the most popular F/OSS packages is done by "professional" programmers. This is widely understood as a way to improve your public image and résumé, since it allows you to get involved with new things that an employer wouldn't permit. Most employers don't like people working on something that they've never done before, so if you want experience with something new, you usually have to work on it in your copious spare time, i.e., as a Free Software project. And, of course, you want it to also be Open Source, so that people can read your good work and be impressed.
  It's also common for the more enlightened managers to approve of employees getting involved in F/OSS work, for the same reasons, and to give the company more credibility among software developers.
  But it's common for the corporate world to disparage Free/Open software developers as unpaid professionals. It's pure ideological PR, though, with little basis in reality. (Reality is always a lot messier than anyone's ideology. ;-)
  
  --
  Those who do study history are doomed to stand helplessly by while everyone else repeats it.
19. Re:So..'many eyes make bugs shallow'? by lennier · 2010-07-22 11:07 · Score: 1
  
  Could it be that the job is simply to complex for most non-professionals
  s/non//
  I think reality is showing us that programming in the modern Internet's always-on, concurrent environment in non-thread-and-memory-safe languages is not merely difficult for amateurs, but impossible for even professionals to do safely.
  I also think the answer will have to involving throwing out the von Neumann model, since we're manifestly living in a very non-von Neumann environment. Stuff happens all at once in a single giant massively-connected network of communicating processors (ie, the Internet) and we don't have any mainstream languages which even attempt to accurately model this. (Maybe Erlang?) We have Algol-descended languages based on the control-flow idea of 'do this thing, then that thing, in my private resource space', which is really efficient on one CPU, but into which we keep trying to shoehorn safety and concurrency and message-passing, and it's really not working, because you have to keep doing manually what the language is not designed to do and doesn't lend itself to doing. It sorta-works, but it creates huge potential for mistakes.
  I think we need to start with replacing control-flow with data-flow completely and really pay attention to what the message-passing theorists in the 1970s were trying to say, and which OOP only partly implemented. The Internet is a message-passing network, but the software connected to it only half does message passing. We should go all the way.
  
  --
  You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
20. Re:So..'many eyes make bugs shallow'? by Lars+T. · 2010-07-22 11:11 · Score: 2, Informative
  
  Umm... WHAT? Sorry to burst your conceit bubble there, Sparky, but... "Many eyes make bugs shallow" does not apply to Safari, because Safari is not open source software.
  Webkit (the open source rendering engine that Safari uses) is not vulnerable. Chrome and Chromium (also built on Webkit) are also not vulnerable.
  
  Well, yes and no.
  
  Jeremiah Grossman said...
  @Anonymous, Tom: I believe this may be a WebKit issue and not just Safari. While it is difficult to confirm now, I suspect this technique did in fact affect Chrome. Had some discussions with Google a while back surrounding this topic and recall them finding/fixing something, but I don't really get all the details straight. Will have to find an older Chrome version somewhere to confirm...
  @anonymous: this hack may have worked on Chrome at one time, but no longer. Trying to confirm, but difficult to get old OS X copies. :)
  
  --
  Lars T.
  To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
21. Re:So..'many eyes make bugs shallow'? by amicusNYCL · 2010-07-22 11:14 · Score: 3, Insightful
  
  I'm not buying your assertion that open source developers are more attentive or more dedicated than non-open source developers.
  It may even go the other way, it may foster complacency. A programmer working on an open source project may be more likely to assume that someone else has already looked at the code and therefore that they don't need to do it themselves. In an organization there would be someone who's specific job is to audit everything, but if that's left as a community task with no one person taking responsibility for it then it might breed complacent developers.
  Obviously this is pure speculation.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
22. Re:So..'many eyes make bugs shallow'? by amicusNYCL · 2010-07-22 11:18 · Score: 1
  
  why does this level of interaction have to deal with the os level ?
  How exactly does the browser play video and audio without the OS? Should browsers come with their own audio and video drivers now?
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
23. Re:So..'many eyes make bugs shallow'? by maxume · 2010-07-22 11:24 · Score: 2, Informative
  
  If you are going to shove words into my post, shove the words I was replying to into my post:
  
  Could it be that the job is simply to complex for most non-professionals and that the open source model has reached the end of it's useful life?
  
  --
  Nerd rage is the funniest rage.
24. Re:So..'many eyes make bugs shallow'? by phopon · 2010-07-22 11:24 · Score: 1
  
  While it is true that most(all?) developers on things like the Linux kernel are professional, it isn't true that they are usually acting on their own. In fact from the looks of it, only between 15-25% of the code is from unpaid work. The majority is by people who are paid by one company or another to work on it.
25. Re:So..'many eyes make bugs shallow'? by lennier · 2010-07-22 11:29 · Score: 3, Insightful
  
  After that, they have to be able to parse at least three different image types (and image parsing libraries are a great place to look for vulnerabilities because they are complex and the data is hard to validate). And they have to be able to interact with the OS in some way to allow movie and audio playing. And flash. And Java Applets. And any other weird plugin.
  All of these are certainly complex requirements which could understandably lead to bugs.
  What it is not acceptable is for bugs in a data processing algorithm - say, image rendering - to even be able to lead to vulnerabilities.
  There is no logical need, for example, for a JPEG parser to even conceivably trigger arbitrary code execution if the programmer makes an off-by-one error in an array subscript. It's simply irrelevant to the task of that code. It should be literally impossible to make a mistake in such code in such a way as to trigger code execution.
  Because Internet programming is so complex that if vulnerabilities are not made impossible, they are a certainty, and a certain vulnerability times the size of the Internet mean even the smallest mistake is no longer tolerable. Humans simply can't work with that degree of precision, nor should they ever need to. This is exactly what we built computers for: to take over the repetitive drudge work which we can't do without error. So while a programmer can be assured to make errors, it's the job of the language to make it impossible for errors in data manipulation to lead to logically-unrelated weirdnesses like code execution.
  Surely this isn't rocket Turing Machine science. We don't have to solve the halting problem to get rid of buffer overflows, do we?
  
  --
  You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
26. Re:So..'many eyes make bugs shallow'? by DragonWriter · 2010-07-22 11:39 · Score: 1
  
  Then they have the networking part, that communicates to servers, opening several sockets at a time and coordinating their retrieval. And they have to be able to do it with HTTP1.0 or HTTP2.0.
  Can you point me to some resources (like, say, the RFC) for HTTP 2.0? I'm having trouble finding any evidence that it exists...
27. Re:So..'many eyes make bugs shallow'? by PopeRatzo · 2010-07-22 11:56 · Score: 2, Interesting
  
  I'm not buying your assertion that open source developers are more attentive or more dedicated than non-open source developers. What is the rationale for that?
  It could be because between open source and non-open source developers, only one group has a boss to hate.
  Freedom to do the best job you can and the sheer desire to create a product that's good enough that you would use is a very strong motivating factor.
  I'm not saying this is necessarily the "rationale" you asked for, but maybe. Maybe the open source developers didn't have to waste their time going to "team building" workshops, or Monday breakfast meetings or have to keep their mouth shut while their boss screws something up or takes credit for the developers' work.
  Not that open source shops are utopias, but I think it's possible that they are more dedicated than their colleagues at Microsoft or Apple.
  
  There are certainly places it shines, but this is not one of them.
  Wait a minute now. We're talking about four browsers. The ones from Apple and Microsoft have security vulnerabilities and the ones from Google and Mozilla do not. Is it just coincidence?
  
  --
  You are welcome on my lawn.
28. Re:So..'many eyes make bugs shallow'? by DaveV1.0 · 2010-07-22 12:00 · Score: 0, Flamebait
  
  No, a web browser doesn't need to do most of what you have listed. In fact, it probably shouldn't be doing most of what you listed.
  Web browsers need to display text, and maybe pictures. None of the rest of that stuff is needed. JavaScript, Flash, playing video and audio, plug-ins, spellchecker, etc. just aren't necessary and just leads to people use the browser to do things is just isn't suited to do. Even Java is iffy when it is used to run applications in the browser.
  People treat the browser as their best, if not only, tool and use it even when it is not appropriate, much like using a hammer to drive screws.
  
  --
  There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
29. Re:So..'many eyes make bugs shallow'? by Smurf · 2010-07-22 12:16 · Score: 3, Informative
  
  If any respectable open source team member had seen Javascript events being passed to the keyboard buffer, he or she would have screamed blue bloody murder and it would have become a priority one bug faster than you can say "the developer who wrote that shit has just lost code submission privileges on this project".
  Given that most Safari developers working for Apple are very respectable Open Source team members that contribute heavily to WebKit, I will have to say that your assertion is simply not true.
30. Re:So..'many eyes make bugs shallow'? by PeanutButterBreath · 2010-07-22 12:16 · Score: 1
  
  Browsers are about the most complex piece of software you will find anywhere
  So much the better then to keep them simple by omitting useless features like autofill. I don't need my browser to remember my personal information for me. (Seriously, who needs help typing in their own name!?) This is is a gimmicky feature thrown in to impress rubes. It is near worthless for legitimate use and and a crack waiting to happen.
31. Re:So..'many eyes make bugs shallow'? by mjwx · 2010-07-22 12:27 · Score: 1
  
  If that old canard is so true, than I have to wonder why it is that their are so many security-related issues with F/OSS browsers that go unchecked for so long?
  Because Safari is not an Open Source browser. No one but Apple can look at all of Safari's source code let alone submit a fix. Thus the old canard remains unchallenged, this is not endemic to WebKit or KHTML as it's affecting Safari only so I'd say the issue is in Apple's code, not the Open Source code.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
32. Re:So..'many eyes make bugs shallow'? by phantomfive · 2010-07-22 13:03 · Score: 1
  
  lol sure, go back to your world of using Lynx. Great browser. Meanwhile, back here in the modern world, a lot of people like Javascript, and in the future (with HTML 5) we are only going to see expanded use. You're fighting a losing battle man, you might as while give it up and put your energy into something where it can be useful. Or keep fighting windmills. If that's what you like.
  
  --
  Qxe4
33. Re:So..'many eyes make bugs shallow'? by DaveV1.0 · 2010-07-22 13:55 · Score: 0
  
  Yes, tell me how much you like JavaScript when it locks up your browser. Remember this as you and your ilk continue to use the browser for more and more and basically turn it into an OS that runs on top of another OS. And, as more and more browsers are using the same innards (WebKit anyone), it is going to become a mono-culture. And, we know what happens with mono-cultures, don't we?
  Meanwhile, you are using appeal to popularity to justify stupidity and laziness.
  
  --
  There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
34. Re:So..'many eyes make bugs shallow'? by BitZtream · 2010-07-22 13:58 · Score: 2, Informative
  
  The vulnerability does not exist in Webkit (the open source component of Safari), so no one but Apple can fix this issue.
  Really? Because there is discussion between developers (not just fanboys like yourself) about it existing and being fixed in chome because its likely a webkit issue, not Safari.
  Of course, I don't know that for a fact because its too soon to tell, but that didn't stop you from spouting some ignorant bullshit so why should it stop me?
  Its a bug in the javascript and dom code ... which ... guess where that code comes from ... Its not like Safari does it different than every other WebKit based browser.
  
  --
  Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
35. Re:So..'many eyes make bugs shallow'? by BitZtream · 2010-07-22 14:04 · Score: 2, Insightful
  
  I've written my own kernels for microcontrollers and I've done a fair amount of embedding Gecko and now Webkit.
  Embedding Gecko pretty much means you have to become a browser dev because mozilla is full of idiots but I digress.
  I would, without any doubt in my mind, write kernel code over browser code.
  Kernel code is freaking EASY compared to a browser. I'm more confident in fake 'memory protection' I can create without an MMU than I am of anything in a browser, and I know the fake memory protection is trivial to blow right past.
  Hardware is really easy to deal with because there aren't 300 layers inbetween you and the real hardware. Way too much redirection and other code in a browser, not only do you have the browser code but you also have all the code under it that makes it useful, including the kernel.
  Give me a SGI onyx with 64 processors and tell me to make a kernel and I'll do it.
  Tell me to write a rendering engine for a markup language and my first question will be 'whats the pay rate and whats the signing bonus for even considering taking the project'.
  Browser programming fucking sucks.
  
  --
  Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
36. Re:So..'many eyes make bugs shallow'? by SanityInAnarchy · 2010-07-22 14:08 · Score: 1
  
  s/non//
  So, most -profesionals? How... -professional of you.
  Sorry, I couldn't resist when there's a bug in your joke regex about software development being hard...
  
  (Maybe Erlang?)
  Not till it has better Unicode support, at the very least.
  
  We have Algol-descended languages based on the control-flow idea of 'do this thing, then that thing, in my private resource space',
  JavaScript still functions more or less like this. Try developing a Chrome extension -- if you want to communicate between tabs, you're going to end up sending messages. Granted, it's not going to be nearly as efficient as Erlang if you're handling large data structures...
  Me, I'm waiting for something like Reia, or maybe io, to get usable. Until then, I work with the tools I'm given -- Java at work and in school, Ruby and JavaScript at home.
  
  --
  Don't thank God, thank a doctor!
37. Re:So..'many eyes make bugs shallow'? by phantomfive · 2010-07-22 14:10 · Score: 1
  
  lolol you are fun. There is more diversity in browsers now than there has been in a decade. Of course monoculture is bad, but you don't need Javascript for a monoculture.
  
  Meanwhile, you are using appeal to popularity to justify stupidity and laziness.
  No, I'm saying form follows function, not the other way around. If you learn what that means, you will be a better programmer (assuming you are a programmer).
  
  --
  Qxe4
38. Re:So..'many eyes make bugs shallow'? by Kagetsuki · 2010-07-22 14:25 · Score: 1
  
  Embedded browsers do.
39. Re:So..'many eyes make bugs shallow'? by Anonymous Coward · 2010-07-22 15:10 · Score: 0
  
  Embedded systems that require mission critical certification are always simpler than consumer apps. Go read about the NASA code certification process. Anything clever is removed by huge buildings full of auditors reading code on dot matrix printouts while wielding red markers.
  If the auditor doesn't understand a piece of code, then the code is reviewed for refactoring. The fact that they use less common languages should not be mistaken for difficulty or complexity of coding. They use less common languages because most people do not require absolute reliability, therefore there is a huge market for less precise (more versatile) programming languages.
40. Re:So..'many eyes make bugs shallow'? by Anonymous Coward · 2010-07-22 15:33 · Score: 0
  
  And Safari wasn't?
41. Re:So..'many eyes make bugs shallow'? by BitZtream · 2010-07-22 16:12 · Score: 3, Insightful
  
  Freedom to do the best job you can and the sheer desire to create a product that's good enough that you would use is a very strong motivating factor.
  I'm sorry, have you actually USED any OSS software?
  Yes, thats true for a few things, but the 'quality' and 'movtivation' of OSS devs is just as shitty as closed source devs. For ever good OSS project there are roughly 1000 shitty ones, and the same is true for closed source software.
  The people who write open source software are VERY OFTEN the EXACT SAME ONES writing closed source software. Most of the time its because one is so they can eat and the other is so they can relax and enjoy themselves.
  
  I'm not saying this is necessarily the "rationale" you asked for, but maybe. Maybe the open source developers didn't have to waste their time going to "team building" workshops, or Monday breakfast meetings or have to keep their mouth shut while their boss screws something up or takes credit for the developers' work.
  So instead of having real motivation like 'fix the fucking bugs or your fired and don't get paid' or we have OSS motivation 'I'll feel special if I fix a bug!' ... And you think thats going to make OSS safer? Let me tell you how developers work. They write some code that they are proud off and think is bug free, and then ... someone finds and exploits thier pretty code because only about 1 out of 10,000 even care about finding bugs rather than pushing out new features, and only one in 10k of those actually have the skills to examine code and applications to find bugs, even fewer still have the ability to figure out ways around security mechanisms.
  
  Wait a minute now. We're talking about four browsers. The ones from Apple and Microsoft have security vulnerabilities and the ones from Google and Mozilla do not. Is it just coincidence?
  Wait, what? Are you blind or just born yesterday and don't have any clue wtf you're talking about? Let me quote what the person who found the bug said on the page linked since no one bothers to read it ...
  
  @Anonymous, Tom: I believe this may be a WebKit issue and not just Safari. While it is difficult to confirm now, I suspect this technique did in fact affect Chrome. Had some discussions with Google a while back surrounding this topic and recall them finding/fixing something, but I don't really get all the details straight. Will have to find an older Chrome version somewhere to confirm...
  
  --
  Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
42. Re:So..'many eyes make bugs shallow'? by bit9 · 2010-07-22 20:04 · Score: 1
  
  Yeah, I figured I'd get at least one know-it-all like you making some sweeping proclamation along the lines of "Nah. Embedded code is easy." But I've seen (and worked on) enough large-scale embedded systems to know that you're full of shit, and that the complexity involved in many such systems dwarfs that of a web browser.
43. Re:So..'many eyes make bugs shallow'? by bit9 · 2010-07-22 20:15 · Score: 1
  By the way...
  Your description about how embedded code gets written is completely bogus. It's obvious you've never actually been involved in any such development.
  You'd be surprised how few auditors are involved. Yes, there are lots and lots of design reviews, peer reviews, etc. But rooms full of auditors standing around with red markers? Not so much. I don't know where you got that from, but it's pure fiction.
  I never said anything about less common languages, but as long as you're beating on straw men, I suppose that's as good as any.
44. Re:So..'many eyes make bugs shallow'? by DaveV1.0 · 2010-07-23 01:13 · Score: 0, Flamebait
  
  Really? How many browsers use webkit? Thought so.
  Form follows function? Really? A web browsers function was originally reading hyper-linked text. But people decided that it would be neat if one could see pictures. Then, hear sound. Then games, movies, etc.
  Now, dumbass programmers try to use the browser as the interface to everything, regardless of whether it is appropriate. The other day on slashdot, there was someone asking about the best way to print from a browser because he was writing an inventory management system for a company that used a web browser as the interface rather than write an appropriate interface.
  I have no doubt you are of the same mind set. You have a hammer and treat everything like it is a nail.
  
  --
  There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
45. Re:So..'many eyes make bugs shallow'? by not-my-real-name · 2010-07-23 01:42 · Score: 1
  
  I would argue that avionics software and flight software for satellites is actually simpler than a browser. The difference is that it has unbelievable levels of documentation and testing. When I was working with avionics software, the FAA simply forbade dynamic memory allocation for critical software. They have lightened up a bit and now allow memory to be allocated at initialization, but that's it. The important thing for this type of software is that it is predictable and deterministic. If the software does something, you have to be able to explain (and point to specific requirements) why the software did that.
  
  --
  un-ALTERED reproduction and dissimination of this IMPORTANT information is ENCOURAGED
46. Re:So..'many eyes make bugs shallow'? by juasko · 2010-07-23 02:45 · Score: 0
  
  How do i get lynx to my MacOSX10.6?
47. Re:So..'many eyes make bugs shallow'? by juasko · 2010-07-23 02:52 · Score: 0
  
  Well almost every mobile device with a browser on. Few examples; Nokia, HP WebOS (Palm), Apple, Google(Chrome, Android mobiles)
  The web is transforming to an SDK form making applications availabre from everywhere. It's not an bad idea at all, but should maybe be redisigned from scratsh.
  Maybe someone should make an HTML5 only compiant browser.
48. Re:So..'many eyes make bugs shallow'? by bit9 · 2010-07-23 03:25 · Score: 1
  
  I find it amusing that people think that because embedded software has to be predictable, deterministic, and well-documented, that it is therefore simpler. That's pure nonsense. The complexity of the software is driven by the system's requirements, and no, I don't mean the requirement that it be predictable and reliable. I don't know what avionics software you've worked with, but from what I've seen, avionics software has to control a huge number of different systems, and respond to a huge number of different inputs, and the logic involved is often very complex (flight control calculations, etc). Even the "simple" logic it performs is made much more difficult because of the enormous number of different cases it has to handle, meaning that it's almost never as simple as just having a huge switch statement. Yes, there are certain areas of the code that are straightforward and simple, as you would expect in any large system, but those parts tend to be the exception rather than the rule. In either case, the one thing I can say with certainty is that web browsers are nowhere near the "most complex piece of software you will find anywhere".
49. Re:So..'many eyes make bugs shallow'? by not-my-real-name · 2010-07-23 03:46 · Score: 1
  
  I've worked primarily with display systems. Much of the complexity is in input validation and source selection. If you have a valid source, then you display the value otherwise you throw up a red "X". You don't try to guess what should be displayed like some web browsers do (and this adds complexity for the web designed since each browser guesses differently).
  Since dynamic memory is forbidden or strictly controlled, the complexities of memory management are avoided. This would be for critical avionics software. Embedded software for other applications may not have this restriction and may be quite complex.
  If I had to make a guess for the "most complex piece of software", I'd pick a payroll system that was first written in the 60s or 70s and has been continually updated for tax law and contract changes since then and the last 5 years of updates have been made by binary patches since the last person who had the source code died in a tragic lemur watching accident.
  
  --
  un-ALTERED reproduction and dissimination of this IMPORTANT information is ENCOURAGED
50. Re:So..'many eyes make bugs shallow'? by bit9 · 2010-07-23 04:05 · Score: 1
  
  I've done some work on avionics displays code too, and from what I saw, the displays code is one of the least complicated parts of a typical avionics system. But that doesn't paint an accurate picture of the avionics system as a whole. Other parts, such as flight controls, vertical profile, the terrain avoidance system, etc are an order of magnitude more complex.
  Also, there seems to be a tendency in this thread to equate complexity with convoluted code. Convoluted code can be quite complex, but is often unnecessarily so. Some software, however, is very complex due to the requirements that drive it, and would still be complex no matter how cleanly it was written.
51. Re:So..'many eyes make bugs shallow'? by phantomfive · 2010-07-23 04:19 · Score: 1
  
  http://www.apple.com/downloads/macosx/unix_open_source/lynxtextwebbrowser.html There you go. Text-browse away.
  
  --
  Qxe4
52. Re:So..'many eyes make bugs shallow'? by phantomfive · 2010-07-23 04:48 · Score: 1
  
  Ten years ago there was really only one browser that had any real use. How many are there now? Pay attention. Diversity is increasing.
  
  You are kind of funny, you don't even seem to want images in browsers. Really?
  
  So once again, let me try to say it a different way: computers were built for people, not people for computers. Eventually (with HTML 5 and beyond) the browser is going to be a platform for network applications (which we will call web applications). Now, I admit that HTML and javascript are not currently great tools to do this, and are often quite frustrating, and indeed they aren't particularly great for page layout either, but eventually we will get beyond that. Browsers will be built to do what people want them to do, they will not be limited by what they were originally designed for. Incidentally, although some people obviously wanted the browser to be limited to viewing static pages, there wee other people who very much wanted to extend its capabilities and allow web applications. The conflicting goals is one of the reasons HTML and Javascript suck so much.
  
  Now, you obviously don't like this, but consider the alternative. The demand for remote/web/network based applications is so great that it would have happened eventually. If they didn't get built on the browser, they would have been built on a proprietary platform built by Microsoft. Indeed, Microsoft was trying to do that with .net, and fortunately for us failed, otherwise they would have a lot more power over the internet than they do now.
  
  Seriously, why do you have such a problem here? Does it bother you when a carpenter uses a hammer for something other than hitting nails? Maybe you should go around to construction sites and chastise workers when they use a hammer to hit a block into place, or install a shim in a doorway, or knock a board out, or adjust a roof. A hammer is such a useful and versatile tool.
  
  --
  Qxe4
53. Re:So..'many eyes make bugs shallow'? by amicusNYCL · 2010-07-23 06:24 · Score: 1
  
  That's because embedded software has the equivalent of drivers packaged with it, because they only need to work on a single known platform. Firefox isn't going to ship drivers for all known video and audio hardware in order to avoid needing to use the OS, which already has those drivers.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
54. Re:So..'many eyes make bugs shallow'? by Zerimar · 2010-07-23 11:35 · Score: 1
  
  Wait a minute now. We're talking about four browsers. The ones from Apple and Microsoft have security vulnerabilities and the ones from Google and Mozilla do not. Is it just coincidence?
  Wait a minute, Chrome and Firefox have no vulnerabilities?
55. Re:So..'many eyes make bugs shallow'? by ToasterMonkey · 2010-07-23 12:31 · Score: 1
  
  the Q/A being in the open anyone can go file and read through the bug reports, and if anyone actually didn't assign such a bug as priority one, then the whole project would be ridiculed, probably here and in many other places.
  Some very large companies have customer accessible bug reporting systems for non open source software, and if a known bug isn't available to the public you can call support and they'll find it for you. Sun/EMC/Oracle do this, and I'm sure many others. Free self service bug report access is a nice feature of free software, but I think I was talking about open source.
  That said, there is no guarantee the bug reports are open to the public for all open source projects anyway, if they even have such a process outside send emails to bugs@....
56. Re:So..'many eyes make bugs shallow'? by Kagetsuki · 2010-07-23 15:00 · Score: 1
  
  I appreciate your description, but as someone who regularly develops embedded software I honestly didn't need it.
57. Re:So..'many eyes make bugs shallow'? by juasko · 2010-07-24 10:05 · Score: 0
  
  thx but they link it to a site with a crippled download :(
58. Re:So..'many eyes make bugs shallow'? by phantomfive · 2010-07-24 10:20 · Score: 1
  
  lol You can try compiling from source, I think it will compile automatically for OSX; or you can look at Fink or DarwinPorts: I believe they both have Lynx available.
  
  --
  Qxe4
59. Re:So..'many eyes make bugs shallow'? by juasko · 2010-08-01 21:24 · Score: 0
  
  Got it working thx, did find a different mirror.
what the user sees should be hidden from programs by improfane · 2010-07-22 09:25 · Score: 2, Insightful

This reminds me of Windows. It's impossible to override certain key combinations like CTRL+ALT+DELETE.
It's kind of obvious: you don't let a program ever, imitate the user in the same context. Web browsers should never have been able to create windows 'outside' of the rendering area to boot (unless full screen)... browsers should never have been able to 'see' what the user sees in regard to links...Internet explorer showing contents of C:\...and so on...

--
Slashdot needs Geekcode | Can anyone recommend any good SCIFI? My tastes: Foundation, Startide Rising, CITY, Ringworld,
In Soviet Apple by Anonymous Coward · 2010-07-22 09:27 · Score: 0

Safari leaks ON you !
Yours In Cupertino,
Kilgore Trout
Only if you put the data there to begin with... by DavidR1991 · 2010-07-22 09:30 · Score: 1

Who fills out all their personal information into OS X's address/contact listing? I certainly don't
1. Re:Only if you put the data there to begin with... by Spy+Hunter · 2010-07-22 09:41 · Score: 2, Informative
  
  Even if you've never used the Address Book app this information could be in there. In the OS X first-launch setup dialog it asks for your real name, and that gets automatically inserted into the address book. I'd wager that most people who use Macs have done this, so their real names are accessible to any website using this technique.
  Additionally, though this is less likely, if you fill out the registration form during setup I believe that information also goes into the address book, so there's your home address and email too.
  
  --
  main(c,r){for(r=32;r;) printf(++c>31?c=!r--,"\n":c<r?" ":~c&r?" `":" #");}
2. Re:Only if you put the data there to begin with... by natehoy · 2010-07-22 09:53 · Score: 1
  
  OK, fair enough, but (assuming you use Safari), this issue goes a little deeper...
  What information have you filled into web forms? Is Safari set up so it remembers that information?
  Sure, your name and address may be safe from the address book, but have you ever entered your name and address on a site and had it remembered?
  If you use Safari and you wish to continue using it, it's a very, very good idea to read the first article and turn off the "remember stuff in web forms" immediately, and keep it off until a fix is available.
  
  --
  "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
3. Re:Only if you put the data there to begin with... by theurge14 · 2010-07-22 10:19 · Score: 1
  
  I do. It's a rather useful feature.
  That I will be using again once this bug is fixed. :P
4. Re:Only if you put the data there to begin with... by vlueboy · 2010-07-22 14:54 · Score: 1
  
  Who fills out all their personal information into OS X's address/contact listing? I certainly don't
  The "computer literacy" which we have, and "cooperation with what the computer would like to have you do " sometimes go at odds with each other. Therefore, you probably can't fathom why I've seen plenty of managers and their staff in the financial sector, who want their data to be well known / available with little fuss for business' sake OR the higher education sector, where managers, faculty and staffers sit at their desks with lots of "free time" to gain arcane knowledge of address-book features without much practical security to keep them safe from data breaches. We think different, but they do not, and they do fill out this data or it is filled out in a centralized way for them.
  Ironically, these businesses are largely big in nature, and hold much bigger stakes when the data is compromised than when it's nothing more than a breach due to Joe average's online naivete pushing "web 2.0 babbling" to his offline life and OS. We can blame our increasing pressure to "fill out every [pointless] textbox to collect a reward."
  In my last couple jobs, Windows address books were filled out automatically, sometimes with very detailed information on locations, phones, titles, webpages and even detail boxes (sometimes including home #'s) I'm not sure if the MacOS Server version has this same kind of Windows Server integration, but it is reasonable to suspect that your internal information might have been stored there when you arrived at the company, and try to erase it locally if you find that to be "informally" OK.
5. Re:Only if you put the data there to begin with... by MoeDumb · 2010-07-22 19:37 · Score: 1
  
  Auto-fill is enabled by default? OK, disable it by default and enable only when needed. Seems that would solve this problem until a fix is released.
  
  --
  Mod Me Up. You'll make a grown man cry.
6. Re:Only if you put the data there to begin with... by tehcyder · 2010-07-23 01:10 · Score: 1
  
  Who fills out all their personal information into OS X's address/contact listing? I certainly don't
  
  I know it's hard to believe, but just because you don't use a particular feature of an OS, it's just barely possible that others do.
  
  --
  To have a right to do a thing is not at all the same as to be right in doing it
Bad Headline by dch24 · 2010-07-22 09:31 · Score: 3, Insightful

Jeremiah Grossman says in the comments:

@Anonymous, Tom: I believe this may be a WebKit issue and not just Safari. While it is difficult to confirm now, I suspect this technique did in fact affect Chrome. Had some discussions with Google a while back surrounding this topic and recall them finding/fixing something, but I don't really get all the details straight. Will have to find an older Chrome version somewhere to confirm...

@Harryf: good find, that is vaguely similar and potentially offers a way to make this more efficient.

@klkl: it does, sorta, but getting it to work is more difficult than it should be. At least for me. :)
Would that have been before or after Eric Schmidt resigned Apple's board and they became sworn enemies? He didn't get mad because Steve started stalking him, did he?

Oh well, I'll hit submit in Safari now...
1. Re:Bad Headline by Anonymous Coward · 2010-07-22 16:01 · Score: 2, Funny
  
  No need to hit Submit-- I've already got it.
"If you use Safari, by mark72005 · 2010-07-22 09:32 · Score: 4, Funny

"If you use Safari,..."

Phew. That takes care of everyone.
1. Re:"If you use Safari, by Monkeedude1212 · 2010-07-22 09:41 · Score: 2, Funny
  
  Well, everyone worth taking care of, at least.
2. Re:"If you use Safari, by Anonymous Coward · 2010-07-22 09:51 · Score: 0
  
  Yeah, because no one has an iPhone or iPad.
3. Re:"If you use Safari, by lwsimon · 2010-07-22 09:59 · Score: 1
  
  I use Safari in Windows, and I'm taken care of too - I read the article (gasp!), turned off Autofill, and went about my day.
  
  --
  Learn about Photography Basics.
4. Re:"If you use Safari, by SchroedingersCat · 2010-07-22 10:08 · Score: 1, Funny
  
  I use Safari in Windows (gasp!)
  
  There, fixed it for you
5. Re:"If you use Safari, by Monkeedude1212 · 2010-07-22 10:10 · Score: 1
  
  How do you know you haven't already had the information taken from you?
6. Re:"If you use Safari, by Lars+T. · 2010-07-22 11:13 · Score: 3, Informative
  
  Yeah, because no one has an iPhone or iPad.
  Naccio said...
  @ Jeremiah Grossman: Does it work with iPad, iPhone or iPod browser?
  July 22, 2010 11:56 AM Jeremiah Grossman said...
  @naccio: no, it does not. Mobile Safari's behavior is different.
  
  --
  Lars T.
  To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
7. Re:"If you use Safari, by MobileTatsu-NJG · 2010-07-22 11:53 · Score: 1
  
  How do you know you haven't already had the information taken from you?
  You don't know if you've had info taken from you, either. What do you do about it?
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
8. Re:"If you use Safari, by L4t3r4lu5 · 2010-07-22 20:01 · Score: 0, Flamebait
  
  Anyone who uses Safari certainly should be "taken care of."
  
  --
  Finally had enough. Come see us over at https://soylentnews.org/
9. Re:"If you use Safari, by Anonymous Coward · 2010-07-23 00:19 · Score: 0
  
  FU ignorant jerk
10. Re:"If you use Safari, by Anonymous Coward · 2010-07-23 00:27 · Score: 0
  
  You arrogant, bigoted A-hole.
11. Re:"If you use Safari, by Bill_the_Engineer · 2010-07-23 01:09 · Score: 1
  
  I use Safari, and why is everybody coming to my house?
  
  --
  These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
12. Re:"If you use Safari, by tehcyder · 2010-07-23 01:18 · Score: 1
  
  How about if my other half inadvertently downloaded Safari while installing an update of fucking iTunes for her fucking iPod, and I clicked it once by accident and decided that in future I'd rather surf the web with an etch-a-sketch, but never actually deleted it because the last time I tried that it deleted her entire catalogue of music, and signed me up to an S&M dating website?
  Do I still count as a Safari user?
  
  --
  To have a right to do a thing is not at all the same as to be right in doing it
13. Re:"If you use Safari, by Monkeedude1212 · 2010-07-23 02:02 · Score: 1
  
  I don't use Safari so I know this particular exploit hasn't worked on me. Improves my chances, at least.
14. Re:"If you use Safari, by MobileTatsu-NJG · 2010-07-23 06:18 · Score: 1
  
  Heh. It is interesting that odds fluctuate based on what you don't know.
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
15. Re:"If you use Safari, by Monkeedude1212 · 2010-07-23 07:25 · Score: 1
  
  Yep. General statistics. If you watch the movie 21, he'll explain variable change.
  
  *situation is that he's hypothetically offered a car that is behind 1 of 3 doors. After choosing one, the host of the show opens one of the doors to reveal nothing. Now does he want to stick with his choice or change it.*
  Micky Rosa: He says, "Ben, do you want to stay with door number one or go with door number two?". Now, is it in your interest to switch your choice?
  Ben Campbell: Yeah.
  Micky Rosa: Well wait, the host knows where the car is. So how do you know he's not trying to play a trick on you - trying to use reverse psychology to get you to pick a goat?
  Ben Campbell: Well I wouldn't really care. I mean, my answer's based on statistics - based on variable change.
  Micky Rosa: Variable change? But he just asked you a simple question.
  Ben Campbell: Yeah, which changed everything.
  Micky Rosa: Enlighten us.
  Ben Campbell: Well, when I was originally asked to pick a door, I had a 33.3% chance of choosing right. But after he opens one of the doors and re-offers me the choice, it's now 66.7% if I choose to switch... So yeah, I'll take door number two and thank you for the extra 33.3%.
16. Re:"If you use Safari, by MobileTatsu-NJG · 2010-07-23 07:49 · Score: 1
  
  Heh nice. I'm thinking of Red Dwarf. The ship's blowing fuses all over the place. They escape in Starbug. Lister says "We're just leaving as a precaution. That ship has all these redundant backups and safety devices, the odds of the ship actually exploding are one in...." *ship explodes* "... One."
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
Re:I know all about you if you're a Safari user. by Anonymous Coward · 2010-07-22 09:33 · Score: 0

Do detect this and charge them extra for your products accordingly?
proud to be! by Infonaut · 2010-07-22 09:39 · Score: 0, Offtopic
1. Rainbow apple stickers are no longer "hip" or "in"?
2. What are you doing after?
3. You're just jealous. Maybe you'd like a job as my cabana boy. Did I already ask you what you're doing after? I forget. So many drugs, so little time.
4. Listen, in Paraguay this blend of bat guano, fern leaves, and cave-grown coffee is common. Want a taste? Hey, what are you doing later?
5. I'm proud to be a fat neckbeard who wears skinny black jeans, Chuck Tailors, ironic t-shirts, and ugly black glasses. You should be so lucky.
But seriously, what are you doing after?
--
Read the EFF's Fair Use FAQ
Re:what the user sees should be hidden from progra by telchine · 2010-07-22 09:54 · Score: 1

This reminds me of Windows. It's impossible to override certain key combinations like CTRL+ALT+DELETE.
Is this true?
Odd coincidence, but last nioght I got a Windows
My guess is... by Anonymous Coward · 2010-07-22 09:56 · Score: 0

So basically, make a website with properly-named (and hidden) form elements, and have a form.submit on something that will likely be clicked? Or even a javascript on.change on the fields themselves?
1. Re:My guess is... by Qzukk · 2010-07-22 10:21 · Score: 1
  
  It goes a little bit beyond that. Entirely automatic autofill is usually tied to a specific site, everything else is autocomplete. In this case, the attack is to create an input named "name" and insert the letter A in there. If the victim's name starts A, Safari goes beyond the usual dropdown of options that other browsers use for autocomplete and inserts the whole name directly in the field. If it doesn't, then the attack javascript erases the A and writes B, and so on.
  It's not a webkit bug. Chrome will show the autocomplete dropdown (the "name" box will show everything you ever put into an input named "name") but won't fill in the input field so the javascript can't see anything (but if you click on an option in the dropdown fast enough, the script will see that)
  While doing this, I discovered that Chrome's autocomplete dropdown has an interesting glitch: if you switch tabs away from the script while it's running, the dropdown will appear on top of everything else in some random location (in my case, chrome runs on display 2, and the dropdown appeared on display 1). I guess they didn't expect that an input field could open a dropdown while that tab is not visible.
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
Bug? by Anonymous Coward · 2010-07-22 09:59 · Score: 3, Funny

Just don't hold it like that.
Not the whole address book by Mojo66 · 2010-07-22 10:02 · Score: 2, Informative

and the data that this feature has access to includes the user's local address book
The only card that can be read is the "Me" card, not the whole address book.
1. Re:Not the whole address book by pandrijeczko · 2010-07-22 12:10 · Score: 1
  
  ...and having the "Me" card may allow me, as a wiley hacker, to work out if your account password is based on any information held in that card.
  Or maybe it gives me your phone number so I can call you & do a bit of social engineering to make you install an application I want on your machine, or even get you to reveal your password to me...
  Please do not underestimate the value of information to any hacker - even the "Me" card means someone can ending up knowing more about you then when they didn't have it.
  
  --
  Gentoo Linux - another day, another USE flag.
2. Re:Not the whole address book by Anonymous Coward · 2010-07-23 01:15 · Score: 0
  
  "even the "Me" card means someone can ending up knowing more about you then when they didn't have it."
  My "Me" card contains a message which tells you to go fuck yourself. Which in your case is probably the
  only time you are ever going to get laid, Mr. Wile E. Hacker.
3. Re:Not the whole address book by pandrijeczko · 2010-07-23 01:39 · Score: 1
  
  Well, then I wish you the best of luck.
  Because if you're that delusional to believe that any personal data leakage is less important that displaying a little fruit picture on the lid of your computer, then you will need all the luck you can get.
  Incidentally, my nice salary as a security consultant has ultimately lead to a happy more comfortable lifestyle in a good relationship - so yes I'm a computer geek and yes I get laid regularly - but thanks for asking.
  
  --
  Gentoo Linux - another day, another USE flag.
I'm mad as hell... by bennomatic · 2010-07-22 10:04 · Score: 1

...unless, of course, they give me a free bumper for my MacBook.

--
The CB App. What's your 20?
1. Re:I'm mad as hell... by Anonymous Coward · 2010-07-22 10:12 · Score: 0
  
  Just don't browse that way.
  Problem solved.
Ohh my goood a Safari bug... by Anonymous Coward · 2010-07-22 10:12 · Score: 0

It is just amazing that Jeremiah Grossman and his friends always come up with little shitty bugs and get hyped by media.
OMG... Safari has a P*R*I*V*A*C*Y bug.
Seriously guys. With every new Safari patch-day there are tons of REMOTE CODE EXECUTION holes fixed that not only endager your privacy but all of your data. I never see media praising the finders of these vulnerabilities. Or maybe they are just not advertise themself enough like Grossman and Friends.
Update: Statement from Steve Jobs... by pandrijeczko · 2010-07-22 10:41 · Score: 1, Redundant

... you are holding your Safari browsers the wrong way.

--
Gentoo Linux - another day, another USE flag.
It is the free rider problem by leereyno · 2010-07-22 10:42 · Score: 1

The problem is that the people who use firefox are not cut from the same cloth as the people who develop it.
GCC is a robust and powerful compiler because the people who use it can fix it when it is broken and improve it.
The vast majority of those who use firefox and other such products are utterly incapable of fixing problems, or even of identifying when there is a problem.

--
Muslim community leaders warn of backlash from tomorrow morning's terrorist attack.
1. Re:It is the free rider problem by ewanm89 · 2010-07-22 11:26 · Score: 1
  
  GCC is a lot more complicated than a browser, compilers are very tricky tools to make. A lot of users that can code C certainly wouldn't be able to make a compiler without training in that area (the difference between a CS degree and a software engineering degree). On top of that GCC is a whole load of compilers, assemblers and processors not to mention the optimizers. Add the question of how does one compile a compiler without the compiler, then one realises that just the build process is nastily complicated. Last I heard from GCC developers was that the code is quite a mess.
  Yeah, I think I prefer firefox source code.
2. Re:It is the free rider problem by ewanm89 · 2010-07-22 11:29 · Score: 1
  
  Oh, and developers use browsers as well as compilers.
3. Re:It is the free rider problem by Anonymous Coward · 2010-07-22 17:11 · Score: 0
  
  A browser is a compiler with a funky filesystem layer.
4. Re:It is the free rider problem by ewanm89 · 2010-07-23 02:24 · Score: 1
  
  To a degree, a modern javascript based one, yes. But that's not the browsers primary function, and it's not a compiler in the same way. GCC currently handles, C/C++, Java (gcj), Ada, Obj-C, Fortran and then outputs to ARM, MIPS, x86 (and x86-64), PPC assembly and can optimise and assemble for pretty much any of the processors in those architectures. Also, a single scripted language interpreter/compiler in C/C++ is rather different to build alone to a C/C++ compiler written in C/C++. Also, the javascript engine really is a small and not strictly necessary component to a browser.
DOM event model by bussdriver · 2010-07-22 11:08 · Score: 3, Insightful

The standard event model allows javascript to trigger events such as keystrokes.
Its easy to see why a browser obsessed with speed would just forward the API call to the internal event model. I can totally see the appeal and instinctive reaction to a situation like this; its clean, fast and simple coding - security is not often a big goal when you are initially just trying to get something working; even so, this could get missed by multiple eyes... Plus this is not part of webkit - its bridging the engine to the GUI; which is an unusual situation compared to the bulk of code - all the hard work is in the engine this just ties that to a GUI, quite likely there is a separation between working groups - obviously there is one since the engine is open source and the GUI is not. Their job is to bridge and probably do not get the level of attention as other aspects of the program.
I'm not letting them off the hook, this should have be caught within 1 version or during a security audit if there was one... and if there was:
1) was the attention given to the engine only?
2) do these people work on the code so they get tied up fixing bugs instead of just logging all the ones they uncover? (a lack of specialization)

--
Democracy Now! - uncensored, anti-establishment news
Re:Apple has fumbled the ball by pandrijeczko · 2010-07-22 11:27 · Score: 0, Flamebait

Apologies but could you repeat your message as I missed it the first time?
I was out with friends spending lots of money on a social life & beer since I don't spend it on overpriced designer hardware that makes me feel part of an elitist little club with permission to sneer derisively at anyone outside that club.

--
Gentoo Linux - another day, another USE flag.
Re:what the user sees should be hidden from progra by nickspoon · 2010-07-22 11:47 · Score: 1

Odd coincidence, but last nioght I got a Windows
Did it hurt?
Only a few users' privacy was violated by aapold · 2010-07-22 11:57 · Score: 2, Funny

and they are: Alan Jones, 9112 Tarquin Drive Luton New Hampshire, Bday Nov 3, 1970, SSN# 867-53-0909...
Arthur J. Smith, 30612 Jethro Lane, Biscuitbarrelville Connecticut,
James Walker, 26318 Adrian Telescope Road, Harpenden Maine

--
"Waste not one watt!" - CZ
Why would anyone use autofill? by snowwrestler · 2010-07-22 12:34 · Score: 1

Seems to me that autofill creates a database of personal information that is accessible by the Internet and dependent on a browser's security model. Does any kind of software have a worse record for security than Web browsers? (Maybe e-mail clients?)
The first thing I do in any browser is turn off autofill for all fields. Anything I need to type into a form is either already in my head or I can look it up easily (credit card number for instance). Either way, it's personal info that IMO does not need to be attached permanently to the Internet.

--
Build a man a fire, he's warm for one night. Set him on fire, and he's warm for the rest of his life.
Re:what the user sees should be hidden from progra by SanityInAnarchy · 2010-07-22 13:43 · Score: 1

And why should fullscreen get a pass?

--
Don't thank God, thank a doctor!
Overblown? by nilbog · 2010-07-22 14:39 · Score: 1, Redundant

The only time the data is given to the browser is when you've already started typing it. Iirc you have to enter one field and then tab to the next. So if you're giving this data anyway it's not really a vulnerability. The only potential victims are people who start entering data and then decide not to. Worth paying attention to, but not exactly a huge problem.

--
or else!
1. Re:Overblown? by Anonymous Coward · 2010-07-22 17:52 · Score: 0
  
  BZZZZZT! YOU ARE WRONG. You are an idiot. Did you READ the ARTICLE? You are very very wrong. I think, sadly, you are suffering from AIDS-RELATED DEMENTIA. Many Apple users suffer from that. I feel sorry for you.
  You are WRONG.
2. Re:Overblown? by SudoGhost · 2010-07-22 19:55 · Score: 1
  
  Did you even read the article?
  
  All a malicious website would have to do to surreptitiously extract Address Book card data from Safari is dynamically create form text fields with the aforementioned names, probably invisibly, and then simulate A-Z keystroke events using JavaScript. When data is populated, that is AutoFill’ed, it can be accessed and sent to the attacker.
3. Re:Overblown? by SudoGhost · 2010-07-22 19:57 · Score: 1
  
  All a malicious website would have to do to surreptitiously extract Address Book card data from Safari is dynamically create form text fields with the aforementioned names, probably invisibly, and then simulate A-Z keystroke events using JavaScript. When data is populated, that is AutoFill’ed, it can be accessed and sent to the attacker.
  Did you even read the article?
4. Re:Overblown? by nilbog · 2010-07-24 12:46 · Score: 1
  
  Yea - so they have to guess my name first. Might as well be a password - I'm really not to worried.
  
  --
  or else!
What is the appeal of Safari in the first place? by Kagetsuki · 2010-07-22 14:46 · Score: 1

I use it once in a while to test compatibility with web applications I'm developing, but even then I find it frustrating to use. Perhaps it is just the windows version, but buttons never respond quickly, in general the browser just feels slow and heavy, and the fact that F5 doesn't refresh a page annoys the hell out of me (as I use it constantly in every other browser). On top of that Safari renders everything in tables, and if you save a rendered snapshot of the page you get this one line table vomit which makes it impossible to figure out what exactly is going wrong. Chrome of course gives the same output, but at least the default developer tools in Chromium are decent. My last WTF point about Safari is something that Apple is obviously handling differently for their own products: JavaScript mouse events, including drags - Safari will immediately reclaim the mouse and not let you implement a JavaScript drag easily unless you use their 800 line device detection library script and then set up a CSS3 framework of all sorts of bizzare obviously not standard garbage. This is what you see if you are able to view the HTML5+CSS3 demos on the Apple web page. Sure it looks good and perhaps even makes sense on an Apple device - but the whole thing could be done in JavaScript even without HTML5 (we're doing it!) and 3D stuff should be handled in Canvas; NOT Apple brand "it's a standard because we say it is" CSS3. Just look at the source to those demos, we achieved similar functionality in less than a quarter of the code using only actual standards and it even works on IE7+ (but the drag does not work on Apple devices, and we have no intention of adding hundreds of lines of code to allow it to).
Re:what the user sees should be hidden from progra by Cankersore · 2010-07-22 14:52 · Score: 1

Its not impossible. Its just the default
Re:Apple has fumbled the ball by Anonymous Coward · 2010-07-22 15:17 · Score: 0

I make enough money that I can do both because I have a real job because I know how to use a real computer. Now go back to your buddy's mothers basement and keep sucking down that Hamm's 30 pack you bought with tips from delivering pizza.
Re:what the user sees should be hidden from progra by improfane · 2010-07-22 17:05 · Score: 1

Only if the user invoked the fullscreenedness should it be permitted. I think in that way it would very difficult for software to 'fake' your desktop.

--
Slashdot needs Geekcode | Can anyone recommend any good SCIFI? My tastes: Foundation, Startide Rising, CITY, Ringworld,
Wonder when the video is released by Anonymous Coward · 2010-07-22 18:59 · Score: 1, Funny

Wonder when they will release a video of showing that all other browsers are also vulnerable (although different vulnerabilities).
Re:Apple has fumbled the ball by pandrijeczko · 2010-07-22 19:53 · Score: 1

Like I said - great well-paid job, lots of disposable income with no need to spend any of it on little white boxes with pictures of fruit on them, great long-term relationship & about to spend this coming weekend at a classic rock festival in London seeing some of my all time favourite musicians play.
I'm in a great mood & immune from the goading of trolls - have a GREAT day yourself!

--
Gentoo Linux - another day, another USE flag.
Re:what the user sees should be hidden from progra by TheRaven64 · 2010-07-22 21:47 · Score: 1

Yes, this sequence is trapped by the kernel and never delivered to normal userspace applications. On the original PC, as I recall, it was trapped by the keyboard controller and raised an interrupt, triggering a reboot if the OS didn't handle it. Windows always traps it and delivers it to a special privileged program. This makes it impossible to fake the Windows NT login screen. Faking something like xdm is easy, because it's just another program. The NT login screen requires you to hit control-alt-delete first - if you're already logged in then it will jump to the dialog for launching the task manager and a few other things.

--
I am TheRaven on Soylent News
Re:What is the appeal of Safari in the first place by Savage-Rabbit · 2010-07-22 23:25 · Score: 1

I use it once in a while to test compatibility with web applications I'm developing, but even then I find it frustrating to use. Perhaps it is just the windows version, but buttons never respond quickly, in general the browser just feels slow and heavy, and the fact that F5 doesn't refresh a page annoys the hell out of me (as I use it constantly in every other browser)...
It's not just the windows version, on OS X the Safari reload shortcut is [cmd]+R. The reason for this is that on many Apple computers the F keys are accessed via an [fn] modifier button on the keyboard since their default function os for Volume/Media player/Sreen-brightness control etc. You can change them to work as F keys by default in System Preferences. You aren't complaining about Safari being broken you are complaining about it not behaving like a windows App which is not a bug, it's just different. I suppose one could argue that on Windows, Safari should behave like other Windows browsers. But then again I see the fact that it doesn't as a feature rather than a shortcoming. For me the windows Safari version gives me a Mac browser on that OS which does not force me to suffer the same annoyances as you are complaining about (unfamiliar shortcuts) whenever I am forced to abandon OS X for Windows.

...On top of that Safari renders everything in tables, and if you save a rendered snapshot of the page you get this one line table vomit which makes it impossible to figure out what exactly is going wrong. Chrome of course gives the same output, but at least the default developer tools in Chromium are decent. My last WTF point about Safari is something that Apple is obviously handling differently for their own products: JavaScript mouse events, including drags - Safari will immediately reclaim the mouse and not let you implement a JavaScript drag easily unless you use their 800 line device detection library script and then set up a CSS3 framework of all sorts of bizzare obviously not standard garbage. This is what you see if you are able to view the HTML5+CSS3 demos on the Apple web page. Sure it looks good and perhaps even makes sense on an Apple device - but the whole thing could be done in JavaScript even without HTML5 (we're doing it!) and 3D stuff should be handled in Canvas; NOT Apple brand "it's a standard because we say it is" CSS3. Just look at the source to those demos, we achieved similar functionality in less than a quarter of the code using only actual standards and it even works on IE7+ (but the drag does not work on Apple devices, and we have no intention of adding hundreds of lines of code to allow it to).
One could sing a song like that about practically every browser out there. Take for example the entire Microsoft IE series... but never mind that, thanks for reminding me why I hate developing web-applications.

--
Only to idiots, are orders laws.
-- Henning von Tresckow
Re:what the user sees should be hidden from progra by boxwood · 2010-07-22 23:35 · Score: 1

I've never understood the Ctrl-Alt-Del thing on the windows login. Yeah if it comes up and asks for you to hit Ctrl-Alt-Del, you can be certain its the real login screen. But really, how many users are going to get a login screen and notice that it didn't ask for Ctrl-Alt-Del and then call up tech support? 99.9% of people will just enter their username and password and not take any notice.
Re:what the user sees should be hidden from progra by lindi · 2010-07-22 23:57 · Score: 1

Of course it is a challenge to educate users but at least this gives you the possibility to access a trusted path if you care? I don't use Windows but as I understood it this is one of the features that gnu/linux systems really should support, at least as an option.
Yes, Firefox AND Chrome are affected by pastafazou · 2010-07-23 00:48 · Score: 2, Interesting

"Internet Explorer, Firefox, Chrome, and Safari browsers are susceptible to attacks that allow webmasters to glean highly sensitive information about the people visiting their sites, including their full names, email addresses, location, and even stored passwords, a security researcher says."
although the exploits are different for each browser. Read more here
I thought everyone knew? by ctchristmas · 2010-07-23 01:13 · Score: 1

I thought everyone knew that the Safari is full of bugs?
Re:what the user sees should be hidden from progra by infolation · 2010-07-23 01:23 · Score: 2, Interesting

It certainly is possible to override CTRL-ALT-DELETE.

Even something as basic as an Adobe 'Macromedia' Director projector can trap it using something like Meliorasoft's Keyboard Control Xtra"
In a word, yes. by sgtrock · 2010-07-23 01:49 · Score: 1

But don't take my word for it.
Re:what the user sees should be hidden from progra by juasko · 2010-07-23 02:24 · Score: 0

The fullscreen idea is crippled anyway tha Macy way for zoomin as it was in pree MacOSX times i absolutely the best way and period.
Maybe linux has some vierd brance that behaves correctly as MacOSX does int not still better than windows on this issue.
Re:What is the appeal of Safari in the first place by Kagetsuki · 2010-07-23 03:30 · Score: 1

I only boot Windows in a VM to test, I don't use windows regularly. And F5 is universal across a wide variety of interfaces, including nautilus and every other manager I can recall using on Linux, as well as Windows Explorer. The least they could have done was enable BOTH ctrl/cmd + R AND F5. Chrome by the way responds to F5. To me it still feels like Apple did it differently because they refuse to do things like everyone else (irrelevant of the result being good or bad).

As for web development, it's a nightmare. JavaScript sucks on every browser for several reasons:
No standard timeouts or waiting, you have to event chain
No "include" or "require" to allow you to include other scripts (there are hacks, but they all suck)
Loading is always handed to the browser, always asynchronous, and if the browser fails there is no standard event that fires
"document" and "window" are basically the same, but some browsers use one some the other... why not just define both of them to the same obejct!?

But seriously, Safari, NOT WebKit, does things in such a non standard and incompatible way that at this point we basically just test our applications in Safari last and see if we can fix them or at least make them run half-broken.
Re:what the user sees should be hidden from progra by improfane · 2010-07-23 06:26 · Score: 1

You're right but I just looked at the manual for that software: you need Administrator privileges to run that director plugin. After which you can run with normal privileges, in which case, if you're admin to begin with, you can do anything anyway, you don't need to use sneaky tactics like peeking at what the user sees or pretending to be the user.
The horse has bolted so to speak.

--
Slashdot needs Geekcode | Can anyone recommend any good SCIFI? My tastes: Foundation, Startide Rising, CITY, Ringworld,
Not perfect... by Anonymous Coward · 2010-07-23 07:03 · Score: 0

Hey Hey Hey! We are not perfect, ALL browsers leak data....Here's a free browser bumper....
Re:what the user sees should be hidden from progra by SanityInAnarchy · 2010-07-24 06:21 · Score: 1

Then why mention fullscreenedness at all? That's a red herring. Do this instead:

Web browsers should never have been able to create windows 'outside' of the rendering area to boot (unless user-invoked)
Same applies to popups, no?

--
Don't thank God, thank a doctor!
Re:what the user sees should be hidden from progra by improfane · 2010-07-24 06:32 · Score: 1

By allowing popups to appear outside the page rendering area, i.e, the bit below your tab bar and browser GUI and with small borders, it gives websites free reign and ability to create realistic popup windows that imitate software of your system, so people get suckered into installing legitimate looking spyware.
I am sure there are ways to 'overlay' ontop of a fullscreen application to make it clear that it is in actual fact, a web page. Even a small bar notification saying: 'Activated full screen mode. [Ok] [Exit fullscreen]
There has to be distinctions between local and remote software somehow. Web sites can appear pixel perfect renditions of local software and that is the problem. The only way you can solve that problem is make it more obvious what is on the page and what is not.

--
Slashdot needs Geekcode | Can anyone recommend any good SCIFI? My tastes: Foundation, Startide Rising, CITY, Ringworld,
Re:what the user sees should be hidden from progra by SanityInAnarchy · 2010-07-24 07:03 · Score: 1

By allowing popups to appear outside the page rendering area, i.e, the bit below your tab bar and browser GUI and with small borders, it gives websites free reign and ability to create realistic popup windows that imitate software of your system, so people get suckered into installing legitimate looking spyware.
Yes, I understand -- though there are things about those which make it obvious that they're browser-generated. But again, user-initiated is the key here. Current popup blockers do a good job, I think -- Chrome blocks popups, but makes it clear when a website has requested a popup and how to enable it.
A healthy amount of skepticism would also help. For example, if a website looks local, and is asking me for my bank details or twitter account, I'm going to wonder what kind of local spyware I have installed.

I am sure there are ways to 'overlay' ontop of a fullscreen application to make it clear that it is in actual fact, a web page. Even a small bar notification saying: 'Activated full screen mode. [Ok] [Exit fullscreen]
A what notification? Flash has a pretty decent approach, I think -- there's an overlay that appears onscreen which reminds you that you've entered fullscreen, and to press esc to exit.

--
Don't thank God, thank a doctor!
Re:what the user sees should be hidden from progra by improfane · 2010-07-24 07:09 · Score: 1

That's exactly the kind of notification I like. Either that or something similar but hopefully less annoying like the yellow bar in IE or Firefox nowadays.
When popups could set the positioning on your screen, that's a bad thing.

--
Slashdot needs Geekcode | Can anyone recommend any good SCIFI? My tastes: Foundation, Startide Rising, CITY, Ringworld,
Re:what the user sees should be hidden from progra by Tacvek · 2010-07-25 15:05 · Score: 1

Andy why do you need admin privileges? To install a kernel-mode driver! Even the admin users cannot directly trap CTRL-ALT-DELETE and the right to install new services/Drivers can be restricted even for administrator accounts (but in practice never is).

--
Stylish sheet to fix many problems in Slashdot's D3: https://gist.github.com/801524