- Safari bug affects users sharing content
- Attackers can exploit the issue to steal files
- Details on the vulnerability are now public, Apple has no fix planned
Security researcher Pawel Wylecial has found a Safari bug attackers could use to steal files from users’ devices. The bug is now known, as Apple postponed the release of a patch.
Wylecial identified the bug in the Web Share API that lets users share content via third-party applications such as email clients and messaging apps. The problem is actually surprisingly easy to exploit and could lead to much more severe issues.
“The problem is that file: scheme is allowed and when a website points to such URL unexpected behavior occurs,” says Wylecial. “In case such a link is passed to the navigator.share function an actual file from the user file system is included in the shared message which leads to local file disclosure when a user is sharing it unknowingly.”
Because user interaction is required for a threat actor to exploit it, a more sophisticated attackers could disguise or hide the shared file from the end-user. The researcher even shared a demonstration of how it’s possible to steal the Safari browser history by using the web share API.
Affected platforms include iOS (13.4.1, 13.6), macOS Mojave 10.14.16 with Safari 13.1 (14609.1.20.111.8) and on macOS Catalina 10.15.5 with Safari 13.1.1 (15609.2.9.1.2).
Wylecial reported the bug in April 2020. The company only acknowledged the problem in August, after saying for many months that the issue is under analysis. Eventually, the researcher informed Apple that the report would go public on August 24. The company requested more time and said it plans to fix the issue in the Spring 2021 security update.
More than four months have passed since the original notification, and the report is now public. As it stands, no fix or mitigation is available, and Apple has given no indication that it plans to fix the problem ahead of their announced schedule.