According to the brilliant Jeremiah Grossman, a severe vulnerability exists in Safari 4x and 5x allowing a malicious Web site to invade via the Autofill feature. More frightening, this vulnerability exists even if you haven’t filled out anything on the page.

TIP: Safari users are recommended to turn off Autofill immediately until Apple posts a patch or update to Safari. To turn off Autofill:

1. Safari Menu > Preferences > Autofill
2. Uncheck all Autofill options
3. Close Preferences

UPDATE: Looks like a variant idea was posted by Patrice Neff back in 2009. Still hasn’t been fixed! Also, Jeremiah suspects this may be a Webkit issue, which means Chrome, Konqueror and a few other browsers such as OmniWeb, iCab and possibly even the Android mobile browser will be affected.

We will be speaking in Ann Arbor, Michigan at Connor O’Neal’s at the LA2M. Scott and I will both be there to talk about privacy, Facebook, Apple, Google and where the Hell Micro$oft is these days. Come see us!

If you’re unable to attend the event, you can see it live online here.

Event details
Location: Conor O’Neills
Address:
318 South Main Street
Ann Arbor, MI
Phone: 734.272.4698
Email: info@la2m.org

WTF. You’d think after the humiliation and financial risks caused by social sharing site Blippy.com that we reported earlier this week, they would have either fixed it right, or shut the service down until they were certain everything was secure. But as reported on Blippy’s own blog, another four credit card numbers showed up in Google search results yesterday.

Possibly more disturbing is that Blippy is claiming only four individuals’ accounts showed up altogether, whereas other reputable sites like Mashable are reporting the number is closer to 200.

Hundreds of credit cards exposed.

UPDATE: Blippy responds in their blog.

As reported by Mashable today Blippy, the online “service” that allows you to see what others have purchased and share your purchases, had an embarrassing and potentially dangerous security issue today. According to Mashable:

“Tipster Trey Copeland wrote to us with a link to results for the search: site:blippy.com +”from card”. That search returns results showing detailed purchase information for transactions. Each result highlights that there was a “debit card transaction” or “card transaction,” the amount spent, the specific location (address included) and the full card number.”

Mashable included a screenshot of Google’s search results, which show a number of compromised credit card numbers exposed. Don’t bother trying that search query: you’ll get an error message from Google instead.

The social media team I run at C-E has long speculated that this would happen. We couldn’t imagine why on earth anyone would share their purchases and trust all their credit card numbers to a social site that doesn’t sell anything.

TIP: As we warned a few weeks ago, there’s no reason to join Blippy. You do not ever need to share your purchases. It makes you a target. If you are a member, take immediate action to remove your financial information.

A generous nod to Gary Olson for the story.

We’ve been exploring the issues we’re facing in social media and Dave and I have been talking about how we got here. One of the common issues we continue to see are links that claim to give access to a resource of interest, when in fact it’s a link to a piece of malicious software (malware).

Thinking back to how we got here, I recalled the first time I accessed a resource on the Web. It was with an early browser called Lynx. I went to a website and clicked on a link to a map of a building. Except, the browser couldn’t render the image file, I had to download it and open it with another program. The crude nature of this process made it very clear that the file I was accessing, picture.gif, was exactly that:  an image file.

Today, we access the same resources through increasingly confusing naming conventions. We used to tell people to pay attention to the URL they’re accessing. Today many of these addresses are encoded so that it’s impossible to discern what they are or where they’re located. When we started using Twitter, we had limited character space so we started to shorten the URLs, obfuscating them further.  This has made it very difficult to give guidance to people about safe practices in regard to URLs.

It’s still important to look at the links you’re clicking on and make an effort to determine if the destination appears to be legit.  www.gmail.ru is probably something you shouldn’t trust.

I’m not sure anyone is working on a solution for this and it’s probably going to get worse before it gets better. In the mean time, pay attention to the things you CAN recognize:

• Microsoft’s page on recognizing malicious URLs
• My favorite:  Carnegie Mellon has comic strips and a game to teach how to recognize phishing links

Do you have thoughts about how to improve the issue with URLs?  Do you know of anyone who’s working on this?