Information
Autofill capabilities in a Web Browser are a feature to allow a user to avoid re-typing the same user information in every form that a user encounters. Part of the modern internet consists of vendors establishing a seemingly close relationship with as many users as possible to market to them, data-mine form them and sell their data to third parry data aggregators. Autofill can be a method for a user to share too much information with untrusted website owners. Many security professionals advise disabling autofill to reduce the risk of over-sharing. These security professionals appear to believe that manual data entry is better, since completing the required forms are often the only method to connect to needed data. The best method for security is to ensure that the data ready to be auto-filled is an acceptable risk to sites a user interacts with. Users must review what data they accept the risk to share.
Rationale:
Auditing and accepting information a user is willing to share prior to loading the blank form is the best way to manage risk.
Impact:
A user could overshare information based on trusting a site more than required.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.Safari
The key to include is AutoFillFromAddressBook
The key must be set to: <<true/false>/>
The key to include is AutoFillPasswords
The key must be set to: <<true/false>/>
The key to include is AutoFillCreditCardData
The key must be set to: <<true/false>/>
The key to include is AutoFillMiscellaneousForms
The key must be set to: <<true/false>/>