I don't have Safari to test, but it looks like it does two things differently to other browsers. The first has been mentioned — slurping data from the local address book and feeding it to any site.
The second I can't test, but looking at the screenshot, it appears that Safari actually fills in the text field with the contents of the auto-fill, before you actually choose that auto-fill, and it highlights that text so typing something overwrites it, which is a standard way of doing autofill. However, using script to ask the textbox for its contents then exposes sensitive data. In contrast, other browsers display the sensitive data in (inaccessible to script) browser chrome, so no data is exposed.
Safari: R|*obin Message* (in the textbox itself)
Firefox: R|
Robin Message (in a popup, push down to get to it)
Er, the problem seems to be more that Javascript-initiated keyboard events can trigger AutoComplete. Only KB events from the system should be allowed to do that.
Understand that it's fetching the data from the system's address book, but obviously this is going to be the same data it would remember if you entered it elsewhere. Keep in mind that this is a feature of Safari being exploited, it's not like this is an vulnerability in the address book gives you unlimited access to all the user's contacts.
Autocomplete by other browsers works by remembering things you entered in forms previously (maybe restricted to domain?). One distinction is that you already decided you wanted to expose that information.
The most important distinction though, is that you have to still select to fill that out manually.
Of course logins are another story - those are automatically filled in. But those are restricted to the page you already entered them on, and you have to decide you want that information filled explicitly.
Couldn't you still use a variation of this hack to steal the info from Firefox?
Steps:
1. Go to a popular site that makes one fill out the information you want to steal.
2. Record the name they use for all their fields (afaik this is how FF determines what value to supply)
3. Use the hack to make a form with those fields
4. Profit
On step 3, it may be that you have to enter the field and type something to get the auto-complete to kick in, but that's easy: you only need to try 26 letters and 10 numbers to get a hit.
Autocomplete is activated by user interaction, not javascript events. The only way to trigger this would be a phishing attack, where you tricked the user into entering their information in.... but in that case, you're not really benefiting from autocomplete because they would have given it to you anyway.
Yup. Also worth noting is that this is a proof of concept, a real attack would likely use non visible form fields and background automatic data transmission. I think most people would agree that there's a world of difference between a phishing attack and an automated drive by attack.
My first Firefox security bug report (five years before I became a Mozilla employee!) was for a somewhat similar issue where pages could read form autofill data that wasn't explicitly entered by the user. Even before that vulnerability was fixed, it required significantly more user interaction than this Safari exploit. Normally Firefox will not make autofill data accessible to scripts except in response to user interaction.
I have only tested this with Chrome, but what I see is that Chrome does not autocomplete the form field (i.e. insert your name/etc into the text field).
In Chrome, the decision to add previously-entered text into the field is left to the user, through selection from a dropdown that Chrome displays below the text field.
Presumably Safari just sticks the text in the field as soon as the prefix added to the field using fake keypresses matches up with your addressbook info.
I havent used the autofill feature (have never trusted it), but in Chrome apparently it is site-specific, and requires user intervention for it to work. I'd be interested in how FF handles it.
