Safari autofill exploit can reveal user data
A malicious Web site would only have to create dynamic form text fields with appropriate names, such as "address" or "credit card," and simulate A-Z keystrokes using JavaScript, and then the data would be filled in automatically, Grossman said in the blog post. This would work, he said, even if the text fields were hidden from the visitor's view. He also added that he notified Apple of the security breach on June 17 in accordance with accepted "best behavior" practices for security researchers, but received only an automatic response.
The link for this article located at CNET is no longer available.