Safari Privacy Bug May Be Leaking Your Data

richi writes "If you use Safari, your browser may be leaking your private information to any website you visit. Jeremiah Grossman, the CTO of WhiteHat Security, has discovered some Very Bad News. I have some analysis and other reactions over at my Computerworld blog. The potential for spam and phishing is huge. A determined attacker might even be able to steal previously-entered customer data." In short, autofill for Web forms is enabled by default in Safari 4 / 5 (and remotely exploitable), and the data that this feature has access to includes the user's local address book — even if the information has never been entered into a Web form.

But not Firefox...

[alain94040]

It seems that the bug is due to Safari allowing keyboard events to be generated from Javascript, so a malicious script can pretend to interact as if it were the user, whereas Firefox doesn't get fooled.

--
The Founder Conference is coming August 17

Re:So..'many eyes make bugs shallow'?

[bunratty]

It could be that more of the vulnerabilities are being found in open source browsers than in closed source browsers. In other words, closed source browsers may have many more undiscovered security problems. IE still has security vulnerabilities they're not fixing, both ones that are publicly known and ones that only Microsoft and a few others know about. Chrome and Firefox have no publicly known security vulnerabilities today.