The web's full of vulnerabilities, but this exploit, which allows code to quietly yank your Mac's Address Book with Safari's AutoFill, is bad enough that you should probably just stop what you're doing and disable it, just to be safe.
These fields are AutoFill'ed using data from the users personal record in the local operating system address book. Again it is important to emphasise this feature works even though a user never entered this data on any website. Also this behaviour should not be confused with normal auto-complete data a Web browser may remember after its typed into a form.
As shown in the proof-of-concept code (graciously hosted by Robert "RSnake" Hansen), the entire process takes mere seconds and represents a major breach in online privacy. This attack could be further leveraged in multistage attacks including email spam, (spear) phishing, stalking, and even blackmail if a user is de-anonymized while visiting objectionable online material.
Grossman told Apple about the issue over a month ago but hasn't heard back yet, so yeah, probably a good idea for Safari users to go to Preferences and uncheck all AutoFill until this is addressed. [Jeremiah Grossman via 9to5Mac]