• @abhibeckert@beehaw.org
    link
    fedilink
    5
    edit-2
    1 year ago

    A patch isn’t (yet) available.

    But a workaround is. Configure your password manager (or switch to another password manager) so it doesn’t automatically fill usernames and passwords as soon as you open a webpage. Set it to fill the credentials when you click a button or hit a hotkey.

    And after this security flaw is fixed? Leave the settings like that. Because this isn’t the first time autofil has resulted in a major compromise and it won’t be the last time either.

    PS: this speculative execution bug was reported to Apple a very long time ago and there are experimental settings you can change to test the fix… but they might be buggy. Modifying your password manager’s behaviour will not be buggy. The setting is:

    defaults write com.apple.safari InternalDebugProcessSwapOnCrossSiteWindowOpenEnabled 1