Safari exploit gives your contact info to malicious websites

In a report on security in the first half of 2010 Apple has claimed the top spot in the number of security vulnerabilities in their OS and software. According to a report from the security company Secunia, Apple is followed by Oracle and then Microsoft in the number of security flaws reported. It's worth noting that this report does not weigh the severity of these vulnerabilities, only the overall number of them.

Safari itself ranks slightly better in the number of vulnerabilities found in 3rd party applications, taking the number two spot right after Mozilla's Firefox. It may not come as any surprise then that a major Safari exploit was publicly reported yesterday by Jeremiah Grossman, the founder of WhiteHat Security.

The exploit lets malicious sites retrieve your personal data from your Address Book in both Safari 4 & 5 if you have enabled the option to allow Safari to AutoFill web forms with your Address Book info. The exploit does not require the user to even see the forms, it can all happen automatically without you having any idea that you just gave the site your name, company, city, state, country, email and other form data you may have added to your Address Book entry.

It's important to note that this vulnerability does apply to Safari for Windows as well, but it will only grab the personal information you've explicitly typed into Safari directly.

Jeremiah also mentions that he did report this vulnerability privately to Apple on June 17th.

[Hat tip Techmeme & Ars Technica]