Auto Fill

The only way I know that it would be a problem is if your computer itself were hacked into, either remotely or by someone who has physical access to your computer.

Safari stores its autofill information for usernames and passwords in your user's keychain. (You can access this by launching the program Keychain Access in your Utilities folder.) Your keychain is password-protected by default, but this protection is only as good as your password and as good as your Keychain Access settings regarding how long the keychain stays locked, etc.

So, in other words, the only way* someone can have accessed the usernames and passwords that you have Safari autofill is if they have opened your keychain, something you can make difficult to do by using a strong keychain password and by setting your keychain to lock itself after a period of inactivity. And then make sure it's difficult to impossible for someone to even make this attempt, by not allowing people you don't trust to use your computer and by protecting yourself from hacking attacks.

This discussion gets into security issues, of course, and that can get very in-depth. Some research about protecting your computer is probably in order. If you haven't yet, you'll want to look into ensuring that your computer is well-protected from outside attacks by using either the firewall protection of a router and/or the Mac OS X software firewall.

*(There are actually other, more difficult ways these can be accessed, such as a hacker watching your activities as you browse the web over your network. But this is true if you are using Safari's autofill or if you're filling in your usernames and passwords manually for every such site you visit. And of course, using security measures to protect your computer and your network makes this kind of hacking unlikely.)

Is the 'Auto fill' option in Safari(or any other web brower) a potential security risk?
The reason I ask is that I've just been informed that somebody has just stole card details and used in a fraudulent transaction?

I think most security conscious users would advise you not to use Safari Auto Fill and to enable Private Browsing on your Macs accounts. Credit card fraud is sadly common nowadays, and I would also advise you to check the insurance details of your credit card carrier for the future and I hope you haven't lost money this time.

So, in other words, the only way* someone can have accessed the usernames and passwords that you have Safari autofill is if they have opened your keychain, something you can make difficult to do by using a strong keychain password and by setting your keychain to lock itself after a period of inactivity. And then make sure it's difficult to impossible for someone to even make this attempt, by not allowing people you don't trust to use your computer and by protecting yourself from hacking attacks.

This is incorrect info as an unauthenticated remote attacker could exploit auto fill by constructing a malicious page under a domain that matches stored info, i.e. strong keychain password will not protect you at all. This is a security issue common to other browsers.

My understanding has been that, when behind a firewall and with proper security measures to protect one from hacking attempts, autofill is safe. I'll leave it to others to hash this out.

This is incorrect info as an unauthenticated remote attacker could exploit auto fill by constructing a malicious page under a domain that matches stored info, i.e. strong keychain password will not protect you at all. This is a security issue common to other browsers.

This is true, but I have never heard of a phishing attempt that does this. It can of course theoretically be done, but it would require hacking into the web site in question to create pages on that domain. In other words, the people doing the phishing would have to hack into, for example, bankofamerica.com to create the page where they then retrieve your autofilled login information, before Bank of America discovers that they've done so and stops them retrieving the information sent from that page.

Message was edited by: Rachel R

This is true, but I have never heard of a phishing attempt that does this. It can of course theoretically be done, but it would require hacking into the web site in question to create pages on that domain. In other words, the people doing the phishing would have to hack into, for example, bankofamerica.com to create the page where they then retrieve your autofilled login information, before Bank of America discovers that they've done so and stops them retrieving the information sent from that page.

No it's a real concern. Here for example is the Cisco security report on it.

No it's a real concern. Here for example is the Cisco security report on it.

I see. Of course, one would have to follow phishing links (links in unsolicited email) to be bitten by that one, as the Cisco article notes.

I see. Of course, one would have to follow phishing links (links in unsolicited email) to be bitten by that one, as the Cisco article notes.

No, you can also be arrive at these sites by web surfing.

No, you can also be arrive at these sites by web surfing.

So it seems you would have to either respond to an emailed phishing attempt or use an external web link to a sensitive login page on the site in question. Since I only use the front page of a potentially sensitive web site to access the login link (which is what is advised as a rule to avoid being caught by phishing attempts), it seems this kind of hacking attempt will not affect me.

Enough said on this issue, I think. Security issues get very complicated and I'd recommend anyone trying to piece all of this together do the intensive research necessary to make these decisions.

Ewen wrote:
Security is a very real issue....

Of course it's a very important issue! I would never say otherwise. I'm just saying that this particular security problem seems to require that one do things on the web that I never do, and that have been advised against since before this particular exploit became known.

that's probably why Safari 3.x does make changes to autofill from 2.x.

Except, as I said in my other post replying to you on this subject in another thread, Safari 3 only eliminates saving the "Other forms" entries in autofill, which is separate from the usernames/passwords autofill. "Other forms" autofill is used to save things that aren't considered sensitive, like search strings. In the meantime, Safari 3 retains the usernames/passwords autofill entries, as did Safari 2, by saving those entries in the keychain.

Except, as I said in my other post replying to you on this subject,

To be honest with you I am not certain what post you are referring too, but if you wish to Email me to discuss further then that's fine by me.

Security is a very real issue that's probably why Safari 3.x does make changes to autofill from 2.x.

marc smith6 wrote:
Thanks for your replies on this matter!

M

You're welcome! Good luck navigating the maze of issues that is internet security. 😉