In the run-up to his presentation at the Black Hat conference, Jeremiah Grossman of White Hat Security told The Register that users who allow their browsers to auto-complete frequently used form fields, such as names or email addresses, may become an easy target for data thieves. For instance, auto-complete data can reportedly be retrieved automatically via JavaScript in Safari 4 and 5.
To exploit the flaw a crafted web page is created with various input fields with such typical labels as name, email address or credit card number. A script is created which tries out all possible first letters in these fields. This triggers the auto-complete feature which kicks in once the first character has been entered. If the browser auto-completes the letter to make a word, the script processes the entered value. This can even be done invisibly via hidden form fields.

Grossman informed Apple about the data leak on the 17th of June but says that so far he has not received any reply, other than an automated confirmation of receipt. A similar form of this attack scenario is already familiar from versions 6 and 7 of Microsoft Internet Explorer. In combination with cross-site scripting, Chrome and Firefox are also said to be vulnerable. There, attackers can even obtain data which the browsers' auto-complete feature only enters into the relevant web page

The link for this article located at H Security is no longer available.