Safari, Internet Explorer, Firefox and Chrome Leak Sensitive User Information to Websites
By on July 22nd, 2010

Black-Hat-Conference Most of us don’t think twice before saving sensitive information in our browser’s auto-fill database. After all, browsers are desktop applications that reside on our system. So, any data we store in our browser should remain private, right? Wrong.

Jeremiah Grossman, CTO of White Hat Security, has managed to uncover security holes in each of the major browsers that can be exploited by booby trapped websites to gain access to sensitive information.

“Right at the moment a Safari user visits a website, even if they’ve never been there before or entered any personal information, a malicious website can uncover their first name, last name, work place, city, state, and email address”, revealed Grossman in a blog post. According to the proof of concept demonstrated by him, it is possible to fool Safari (v4 and v5) into giving up stored form auto-fill information without user intervention using JavaScript. Apple, which was notified about this vulnerability back in June, has yet to respond.

Internet Explorer 6 and 7 can also be exploited in a similar fashion. However, Internet Explorer 8 appears to be safe for the moment. If you are using the any of the affected browsers, it’s highly recommended that you disable the in-built AutoFill functionality for the time being.

The Register is also reporting that Grossman has discovered critical XSS (cross-site scripting) vulnerabilities in Firefox and Chrome, which can be exploited to gain access to stored website passwords. Grossman is expected to reveal more at the Black Hat Security Conference, which is going to be held next week.

Tags: , , , , , ,
Author: Pallab De Google Profile for Pallab De
Pallab De is a blogger from India who has a soft spot for anything techie. He loves trying out new software and spends most of his day breaking and fixing his PC. Pallab loves participating in the social web; he has been active in technology forums since he was a teenager and is an active user of both twitter (@indyan) and facebook .

Pallab De has written and can be contacted at pallab@techie-buzz.com.
 
Copyright 2006-2012 Techie Buzz. All Rights Reserved. Our content may not be reproduced on other websites. Content Delivery by MaxCDN