First introduced in late 2004 as a Google Labs project, Google’s autocomplete search feature has been an integral part of the world’s most popular search engine ever since its widespread rollout in 2008. This nifty search aid hasn’t had a controversy-free existence, however. It now finds itself at the heart of a fresh controversy in Japan. More after the jump.
Security researcher Jeremiah Grossman must be vetting Safari's AutoFill feature very closely, for he has exposed a couple of flaws in the browser's autocomplete feature during the past few months. While Apple promptly came up with a patch after Grossman detailed the vulnerability at the Black Hat conference in July, the flaw has now resurfaced.
“It’s back! A little less automatic, but at the same time faster and more complete in the data exploitation. Before discussing the technical details some background is necessary,” Grossman, who is the founder and CTO of WhiteHat Security, said in a recent blog post. He notified Apple of the new vulnerability last month, but the company has yet to release a patch.
“A malicious website detects (ie: IP address) the country the victim is from. For our purposes here we'll assume the "US." The attacker invisibly (CSS transparency) sets up the aforementioned form and forces the keystroke focus into the country element. Next the attacker entices the victim to type "U" (first character of "US") and then press "TAB.” And BAM! That’s it! Data stolen.”
As hackers could use this flaw to steal personal information, Grossman recommends that Safari users disable the AutoFill feature, which is enabled by default in Safari v5.