>I know who your name

Hahaha. Oh wow.

This isn't surprising, actually. Apple always has these fuck-ups because "it just works."

And to think, Safari was always the first browser to be hacked at pwn2own too.

A note to macfags: Enjoy your botnet

>>8533
Its the user's fault, obviously. They just work.

There's no security issue. Just don't surf that way.

Posted on my hacked iPad.

Not surfing that way? It should be off by default and perhaps prompt users with an explanation of the feature and risks first opportunity it can be used.

>>8544
From my understanding (I don't use autocomplete ever), Firefox and other superior browsers require that you click on the item you want to put in the field before anything is actually inserted while Safari just throws it in there. This would allow the exploit to be done "invisibly" without the user even seeing what's going on.

Also Safari seems to have autocomplete enabled by default while most other browsers do not.

>>8544
The auto-filled fields can immediately be sent to a server without any user interaction, so basically you can get your personal information stolen just by visiting a malicious site using Safari.

>>8547
so that's how they found the lost iphone prototype

It's like everything Apple makes is designed to tell everyone who you are now. Not surprising really.

>>8539
oh lol

>>8544
>>8546
Yeah, they get autofilled without user interaction (maybe even if they're hidden fields? They could be styled invisible in any case) so they can also be submitted to badguys.cn with javascript. This will probably be used for spear phishing mostly, since they can send you a personalised scam email addressed directly to you with personal info "from" whoever the biggest bank in your town is.

This is a serious attack and the fact that sites can trigger autocomplete, then retrieve the form data without user submission is pretty glaring and appalling design practice. There's a lot of "TODO"s in the WebKit source though, so I'm not surprised.

I should have addressed this in my latest YFSGT editorial, but I neglected to. Oh well.

>I know who your name

HURP

>>8555
>>This is a serious attack and the fact that sites can trigger autocomplete, then retrieve the form data without user submission is pretty glaring and appalling design practice.
True, I've always been weary of web browsers remembering things like your log-in/password, your email addresses, home address, and other such personal & potentiality damaging info.

[some comment on the article]
>>. I think chrome's auto-fill relies on popups that don't actually input your info into the form until you hit enter. Whereas Safari just directly inputs your info into the form.
Ugh, so Chrome involves some user interaction and doesn't put the info right there until you ok it, while Safari gives it up without any question.

Even though there is encryption and features like having one "master password" to a password manger, I still don't like having my browser remember such things.

>>8557
>password manger
Of course, Macfags will say "BUT THERE'S 1PASSWORD HURR DURR".

Except I'm not paying forty fucking dollars for a password manager.

Daily Price Told:

Mac Pro:
2.66ghz Intel Quad Core 8mb cache
6gb 1066mhz DDR3
1tb 7200rpm SATA HDD
Radeon 4870 512mb
$3028

Dell Inspiron 580
2.66ghz Intel Quad Core 8mb cache
6gb 1066mhz DDR3
1tb 7200rpm SATA HDD
radeon 5450 1gb
$770

And nothing of value was lost.