[youtube]http://www.youtube.com/watch?v=nONC_sFn2Yw[/youtube]
In the video clip above you have a small demonstration of the method by which a malicious person can access all your personal data saved in Safari. It seems that the "Autofill" function, which automatically completes the text fields in Safari, contains a vulnerability and by running a simple exploit a website can access all the words saved in Safari: Name, Address, e-mail, information stored in the Address Book. The video is made by Jeremiah Grossman, WhiteHat security expert, and aims to warn users about the risks they expose themselves to by using the "Autofill" function in Safari.
All a malicious website would have to do to surreptitiously extract Address Book card data from Safari is dynamically create form text fields with the aforementioned names, probably invisibly, and then simulate AZ keystroke events using JavaScript. When data is populated, that is AutoFill'ed, it can be accessed and sent to the attacker.
It seems that this code used to access the data also does not work in the case of entries that start with numbers, for example those for the phone number or addresses that start with the street number. Jeremiah Grossman sent a notification regarding this vulnerability to Apple on June 17, but so far he has not received any news from Apple, and as you can see in the video, Apple has not bothered to solve the problem either.
I figured Apple might appreciate a vulnerability disclosure prior to public discussion, which I did on June 17, 2010 complete with technical detail. A gleeful auto-response came shortly after, to which I replied asking if Apple was already aware of the issue. I received no response after that, human or robot. I have no idea when or if Apple plans to fix the issue, or even if they are aware, but thankfully Safari users only need to disable AutoFill web forms to protect themselves.
Be careful how you work with Safari and where you enter your data, this vulnerability has existed for some time and it is very possible that you have already fallen prey to a website that uses the code that exposes the vulnerability. It would be a good idea to use another browser until Apple decides to solve this problem.
