Slashdot Mirror
Safari Privacy Bug May Be Leaking Your Data
richi writes "If you use Safari, your browser may be leaking your private information to any website you visit. Jeremiah Grossman, the CTO of WhiteHat Security, has discovered some Very Bad News. I have some analysis and other reactions over at my Computerworld blog. The potential for spam and phishing is huge. A determined attacker might even be able to steal previously-entered customer data." In short, autofill for Web forms is enabled by default in Safari 4 / 5 (and remotely exploitable), and the data that this feature has access to includes the user's local address book — even if the information has never been entered into a Web form.
It seems that the bug is due to Safari allowing keyboard events to be generated from Javascript, so a malicious script can pretend to interact as if it were the user, whereas Firefox doesn't get fooled.
--
The Founder Conference is coming August 17
It could be that more of the vulnerabilities are being found in open source browsers than in closed source browsers. In other words, closed source browsers may have many more undiscovered security problems. IE still has security vulnerabilities they're not fixing, both ones that are publicly known and ones that only Microsoft and a few others know about. Chrome and Firefox have no publicly known security vulnerabilities today.
What a fool believes, he sees, no wise man has the power to reason away.
"If you use Safari,..."
Phew. That takes care of everyone.
Umm... WHAT? Sorry to burst your conceit bubble there, Sparky, but... "Many eyes make bugs shallow" does not apply to Safari, because Safari is not open source software.
Webkit (the open source rendering engine that Safari uses) is not vulnerable. Chrome and Chromium (also built on Webkit) are also not vulnerable. Webkit is fine, at least in regards to this vulnerability.
Safari (the closed-source browser built on Webkit) is vulnerable.
This is a closed-source software bug that has been reported to the vendor.
I don't disagree that all software has bugs. That's going to be true. But this is an example of the opposite.
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
Actually, this is a perfect example of it.
The vulnerability is in closed-source software, because Safari is closed-source. The vulnerability does not exist in Webkit (the open source component of Safari), so no one but Apple can fix this issue.
The issue was discovered almost by accident. Safari allows Javascript to emulate keypresses (which is almost inconceivably stupid).
If any respectable open source team member had seen Javascript events being passed to the keyboard buffer, he or she would have screamed blue bloody murder and it would have become a priority one bug faster than you can say "the developer who wrote that shit has just lost code submission privileges on this project".
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
If any respectable open source team member had seen Javascript events being passed to the keyboard buffer, he or she would have screamed blue bloody murder and it would have become a priority one bug faster than you can say "the developer who wrote that shit has just lost code submission privileges on this project".
I'm not buying your assertion that open source developers are more attentive or more dedicated than non-open source developers. What is the rationale for that?
Other than defining the QA process to be whatever you want and being your own QA team, what advantages does a project being open source confer in this regard? Some outsider can swoop in and patch your critical security vulnerabilities for you, with tests, and no new bugs? Your users can fix bugs on their own, maintaining private one-off branches?
Not to dig on open source or anything, but I think it's usefulness is being pushed a BIT too far sometimes. There are certainly places it shines, but this is not one of them.