The autofill option in Apple’s

Safari  browser can expose

personal data without the user’s

consent, a security researcher

reported on Wednesday. It

remains unclear as to whether

the problem affects Safari

specifically or all WebKit-based

browsers, which include Google

Chrome. It’s recommended that

Safari and Chrome users disable

the autofill feature

immediately, until further

notice.

Jeremiah Grossman, the chief

technical officer of WhiteHat

Security, documented the exploit

in a blog post on Wednesday,

saying that it affects both the

current version of Safari,

version 5, and the legacy

version, Safari 4. He said that

the exploit is severe enough

that a malicious Web site can

access autofill information from

Safari without the user entering

in any personal information on

the site, or even if the user

had never visited the site

previously.

A malicious Web site would only

have to create dynamic form text

fields with appropriate names,

such as “address” or “credit

card,” and simulate A-Z

keystrokes using JavaScript, and

then the data would be filled in

automatically, Grossman said in

the blog post. This would work,

he said, even if the text fields

were hidden from the visitor’s

view. He also added that he

notified Apple of the security

breach on June 17 in accordance

with accepted “best behavior”

practices for security

researchers, but received only

an automatic response.

But it looks like the exploit

may not be new. In a blog post

from April 2009, Swiss security

researcher Patrice Neff

uncovered a strikingly similar

exploit, which went unnoticed by

many people, where Safari would

submit a birthday without the

user’s consent. Neff was able to

write a script that could

harvest that information from

Safari browsers. It’s not clear

at this point whether the

exploits are identical, or just

have similar-looking outcomes.

Regardless, the exploit

highlights the risk in using

automatic data-filling

technology without stronger

security controls. Users can

disable autofill in Safari by

going to Preferences, AutoFill,

and AutoFill Web forms. In

Chrome, go to the “wrench” menu,

choose Options, Personal Stuff,

and click the AutoFill button.

The exploit does not appear at

this time to affect the mobile

Safari on iOS, or the WebKit-

based browser on Android.

Apple’s official statement on

the autofill vulnerability did

not address specifics. “We take

security and privacy very

seriously. We’re aware of the

issue and working on a fix,”

said an Apple representative.

Google did not comment but did

confirm that this autofill

exploit is not a vulnerability

in Chrome because the browser

requires a user confirmation to

populate text fields that can’t

be mimicked by JavaScript.