The Safari web browser can autofill form fields from your personal address book card. I’ve had very good experiences with this feature. But today I was creeped out a little on my brightkite profile as I saw my birthday even though I had not provided it anywhere. It took me a moment to realize that Safari had autofilled my birthday.

So I quickly came up with an evil idea. Would it be possible to abuse that feature to automatically collect birthdays from users on say a signup form?

And yes, it’s possible. Save the following HTML on your disk:

<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title> Settings - Profile - brightkite.com </title> </head> <body> <form action="http://localhost/" method="get"> <label for="fullname">Full name</label> <input id="fullname" name="fullname" /> <input type="submit" /> <input id="street" name="street" /> <input id="dob" name="dob" style="opacity:0" /> </form> </body> </html>

It defines a form with the three fields full name, street and birthday. The birthday field is hidden – so the user has no idea that it will be submitted as well. The street field is just in there for easy checking if the autocompletion is working.

Then open the form in Safari (I tried on Version 4 Public Beta 5528.16), enter your full name in the first field and use the tab key to activate the submit button. If everything worked, you’ll see the street field autofilled as you’d expect. But when you submit, the birthday is submitted as well – if you have it stored in your address book.