- Safari bug affects users sharing content
- Attackers can exploit the issue to steal files
- Details on the vulnerability are now public,
Apple has no fix planned
Security researcher Pawel Wylecial has found a Safari bug
attackers could use to steal files from users’ devices. The bug is now known,
as Apple postponed the release of a patch.
Wylecial identified the bug in the Web Share API that
lets users share content via third-party applications such as email clients and
messaging apps. The problem is actually surprisingly easy to exploit and could
lead to much more severe issues.
“The problem is that file: scheme is allowed and when a website points
to such URL unexpected behavior occurs,” says
Wylecial. “In case such a link is passed to the navigator.share function an
actual file from the user file system is included in the shared message which
leads to local file disclosure when a user is sharing it unknowingly.”
Because user interaction is required for a threat actor
to exploit it, a more sophisticated attackers could disguise or hide the shared
file from the end-user. The researcher even shared a
demonstration of how it’s possible to steal the Safari browser history by using
the web share API.
Affected platforms include iOS (13.4.1, 13.6), macOS
Mojave 10.14.16 with Safari 13.1 (14609.1.20.111.8) and on macOS Catalina
10.15.5 with Safari 13.1.1 (15609.2.9.1.2).
Wylecial reported the bug in April 2020. The company only
acknowledged the problem in August, after saying for many months that the issue
is under analysis. Eventually, the researcher informed Apple that the report
would go public on August 24. The company requested more time and said it plans
to fix the issue in the Spring 2021 security update.
More than four months have passed since the original
notification, and the report is now public. As it stands, no fix or mitigation is
available, and Apple has given no indication that it plans to fix the problem
ahead of their announced schedule.