Privacy flaw haunts Apple Safari RSS reader

Privacy flaw haunts Apple Safari RSS reader

Summary: There's a major privacy problem with the RSS reader built into Apple's Safari browser.According to an alert from Brian Mastenbrook, there is a serious Safari vulnerability that allows a malicious web site to read files on a user's hard drive without user intervention.

SHARE:

Privacy flaw haunts Apple Safari RSS readerThere's a major privacy problem with the RSS reader built into Apple's Safari browser.

According to an alert from Brian Mastenbrook, there is a serious Safari vulnerability that allows a malicious web site to read files on a user's hard drive without user intervention.

Mastenbrook warns:

This can be used to gain access to sensitive information stored on the user's computer, such as emails, passwords, or cookies that could be used to gain access to the user's accounts on some web sites. The vulnerability has been acknowledged by Apple. All users of Mac OS X 10.5 Leopard who have not changed their feed reader application preference from the system default are affected, regardless of whether they use any RSS feeds or use a different web browser (such as Firefox). Users of previous versions of Mac OS X are not affected.

[ SEE: Microsoft issues Safari-to-IE blended threat warning ]

Mastenbrook, who has a credible history of reporting security issues affecting the Mac ecosystem, said users of Safari on Windows are also affected.

The researcher recommends that Safari users change the default feed reader in the browser.

[ SEE: Adobe Flash, Apple Safari fail privacy test ]

To select a different feed reader:

  1. Open Safari and select Preferences... from the Safari menu.
  2. Choose the RSS tab from the top of the Preferences window.
  3. Click on the Default RSS reader pop-up and select an application other than Safari.

The only workaround available for users of Safari on Windows is to use a different web browser, Mastenbrook recommends.

This is not the first time that Apple's Safari browser has failed a privacy-related test.

Topics: Browser, Apple, Operating Systems, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • Workaround has been revised, changing feed reader in Safari not adequate

    FYI Ryan, Mastenbrook has revised his page on the vulnerability and now reports that simply changing the RSS handler within Safari is not enough to protect users, as this doesn't change several associated URL handlers. He's recommending using RCDefaultApp to change the other handlers.
    MikeTRose
  • RE: Privacy flaw haunts Apple Safari RSS reader

    Well done! Thank you very much for professional templates and community edition
    <a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>
    birumut