A flaw in the implementation of Safari’s AutoFill mechanism can be exploited to grab Mac users’ names, street addresses, and e-mail addresses. Apparently, the web browser will give away a user’s Mac OS X Address Book data if asked by a malicious web site.

Jeremy Grossman, the founder and chief technology officer of WhiteHat Security, says (http://macosg.me/2/kx) at the moment a user of Safari 4.x or 5.x visits a web site, even if they’ve never been there before or entered any personal information, a malicious website can uncover their first name, last name, work place, city, state, and email address.

All a malicious web site would have to do to surreptitiously extract Address Book card data from Safari is dynamically create form text fields with the names from AutoFill, probably invisibly, and then simulate A-Z keystroke events using JavaScript, he says. When data is populated, that is AutoFill’ed, it can be accessed and sent to the attacker.

“I have no idea when or if Apple plans to fix the issue, or even if they are aware, but thankfully Safari users only need to disable AutoFill web forms to protect themselves,” says Grossman.