.:. tweet

Safari Autocomplete Exploit .:.

This exploits a Safari bug to be presented next week at Black Hat by the inimitable Jeremiah Grossman. As far as I can tell it won't work in other browsers, including Chrome.


Here we're using some really crummy JavaScript--view source if you're curious--to focus on the input box named email, programmatically run through all 26 letters of the alphabet, and waiting a second between each to see if autocomplete has helped us out.

If it has, we'll pause and show what we find. Insert scary scenario here; we could do this invisibly and do what we like with what we get.

If we get to Z and nothing happens, you haven't filled out a form requesting your e-mail address with an input named email. Enter a bogus address such as and hit Enter to reload the page.

A variant of this attack works on IE6 and IE7 by hitting the down-arrow twice and then Enter; it's much faster (and scarier) than this.

If you have not done so already, in Safari:Preferences:AutoFill, turn everything off.

Comments from before Disqus:

Kent Brewster .:. 2010-07-21 19:37:14
Jeremiah has posted the article and the exploit, which are both much more awesome than mine. Really nice work!

Copyright Kent Brewster 1987-2014 .:. FAQ .:. RSS .:. Contact