Security researcher Jeremiah Grossman must be vetting Safari's AutoFill feature very closely, for he has exposed a couple of flaws in the browser's autocomplete feature during the past few months. While Apple promptly came up with a patch after Grossman detailed the vulnerability at the Black Hat conference in July, the flaw has now resurfaced.
``A malicious website detects (ie: IP address) the country the victim is from. For our purposes here we'll assume the "US." The attacker invisibly (CSS transparency) sets up the aforementioned form and forces the keystroke focus into the country element. Next the attacker entices the victim to type "U" (first character of "US") and then press "TAB.� And BAM! That's it! Data stolen.�
No hay comentarios:
Publicar un comentario