THIS WEEK'S SPONSOR:

Kolide

Endpoint Security for Teams That Slack - Try Kolide for Free Today!


Why You Should Disable your Browser Autofill

Geeking out on all things security, Jeremiah Grossman details an interesting attack that could steal information stored in a web browser for use in autofill.

These fields are AutoFill’ed using data from the users personal record in the local operating system address book. Again it is important to emphasize this feature works even though a user never entered this data on any website. Also this behavior should not be confused with normal auto-complete data a Web browser may remember after its typed into a form.

All a malicious website would have to do to surreptitiously extract Address Book card data from Safari is dynamically create form text fields with the aforementioned names, probably invisibly, and then simulate A-Z keystroke events using JavaScript. When data is populated, that is AutoFill’ed, it can be accessed and sent to the attacker.

Safari isn’t the only browser affected as headlined by 9 to 5 Mac. Any browser that has autofill capabilities is affected by this vulnerability. Though it is reported that Safari and Internet Explorer have the potential to be more at risk to these types of attacks. The Register explains.

Among the most serious is a vulnerability in Apple’s Safari and earlier versions of Microsoft’s IE that exposes names, email addresses, and other sensitive information when a user visits a booby-trapped website. The attack exploits the browsers’ autocomplete feature used to automatically enter commonly typed text into websites. It works by creating a webpage with fields carrying titles such as “First Name,” “Last Name,” “Email Address,” and “Credit Card Number” and then adding javascript that simulates the user entering various letters, numbers or keystrokes into each one.

I always disable mine anyway since I find autofill to be a useless and annoying feature, but now I feel particularly awesome knowing my habits are keeping me safe from evil-doers. If you’re particularly wary, I would go ahead an disable these checkboxes in Safari (all of them). You should do this for other web browsers as well.

Safari Preferences

Safari Preferences

[via 9 to 5 Mac]

Unlock More with Club MacStories

Founded in 2015, Club MacStories has delivered exclusive content every week for over six years.

In that time, members have enjoyed nearly 400 weekly and monthly newsletters packed with more of your favorite MacStories writing as well as Club-only podcasts, eBooks, discounts on apps, icons, and services. Join today, and you’ll get everything new that we publish every week, plus access to our entire archive of back issues and downloadable perks.

The Club expanded in 2021 with Club MacStories+ and Club Premier. Club MacStories+ members enjoy even more exclusive stories, a vibrant Discord community, a rotating roster of app discounts, and more. And, with Club Premier, you get everything we offer at every Club level plus an extended, ad-free version of our podcast AppStories that is delivered early each week in high-bitrate audio.

Choose the Club plan that’s right for you:

  • Club MacStories: Weekly and monthly newsletters via email and the web that are brimming with app collections, tips, automation workflows, longform writing, a Club-only podcast, periodic giveaways, and more;
  • Club MacStories+: Everything that Club MacStories offers, plus exclusive content like Federico’s Automation Academy and John’s Macintosh Desktop Experience, a powerful web app for searching and exploring over 6 years of content and creating custom RSS feeds of Club content, an active Discord community, and a rotating collection of discounts, and more;
  • Club Premier: Everything in from our other plans and AppStories+, an extended version of our flagship podcast that’s delivered early, ad-free, and in high-bitrate audio.