Major Flaw in Apple’s Safari Browser Gives Hackers Access to Personal Information

Kernel panic in Mac OS X.
Image via Wikipedia

Apple may have a reputation as a security leader, but it’s not entirely accurate. Its OS can be hacked like any other (at hacking conventions like Def Con, Mac OS has not proven significantly more secure than Windows), and now, blogger and white hat hacker (the good kind) Jeremiah Grossman has discovered a major flaw in Apple’s Safari browser.

The flaw originates from Safari’s unusual auto-fill system. In most browsers, when you fill in an address, phone number, name, or other common bit of personal information, the browser offers the option to save that for future reference. The key there is that you have to actually enter the information at least once to be offered that option.

But Safari actually uses information from the user’s Address Book app on his or her computer, meaning the user might never have entered that information, but Safari can still pop it into the requisite spot. Apple probably sees this as a convenient shortcut–the information’s already in the computer, why enter it again?–but it also opens Safari up to hacking.