The autofill option in Apple's Safari browser can expose personal data without the user's consent, a security researcher reported on Wednesday. It remains unclear as to whether the problem affects Safari specifically or all WebKit-based browsers, which include Google Chrome. It's recommended that Safari and Chrome users disable the autofill feature immediately, until further notice.
Jeremiah Grossman, the chief technical officer of WhiteHat Security, documented the exploit in a blog post on Wednesday, saying that it affects both the current version of Safari, version 5, and the legacy version, Safari 4. He said that the exploit is severe enough that a malicious Web site can access autofill information from Safari without the user entering in any personal information on the site, or even if the user had never visited the site previously.

A malicious Web site would only have to create dynamic form text fields with appropriate names, such as "address" or "credit card," and simulate A-Z keystrokes using JavaScript, and then the data would be filled in automatically, Grossman said in the blog post. This would work, he said, even if the text fields were hidden from the visitor's view. He also added that he notified Apple of the security breach on June 17 in accordance with accepted "best behavior" practices for security researchers, but received only an automatic response.

The link for this article located at CNET is no longer available.