A bug in Apple’s Safari browser could be abused by hackers to leak or steal files from the devices of Mac and iOS users according to a new report from a security researcher.
Co-founder of the Polish security firm REDTEAM.PL, Pawel Wylecial first discovered the bug back in April and responsibly reported it to Apple. However, he decided to go public with his findings after the iPhone maker decided to delay patching the bug until the spring of 2021.
In his recently published blog post, Wylecial explains that the bug resides in Safari’s implementation of the Web Share API which is a new web standard that allows for cross-browser sharing of text, links, files and other content.
Apple’s browser allows users to share files that are stored locally on both their iOS or macOS devices. However, this feature could exploited by malicious web sites that secretly steal files from a user’s device when they try to share an article or other content online using Safari.
Safari Web Share API
Wylecial also included a proof-of-concept video in his blog post where he shows how the bug in the Web Share API can be used to steal a user’s /etc/passwd or browser history database files in Safari.
Although Wylecial has described the bug as “not very serious” due to the fact user interaction and complex social engineering are both required to trick users into leaking local files, he also pointed out that it would be quite easy for an attacker “to make the shared file invisible to the user”.
While the Web Share API bug is certainly concerning, so to is the way in which Apple handled Wylecial’s bug report. Typically security researchers give companies a 90-day vulnerability disclosure deadline before going public with their findings but by putting off patching the issue until the spring of next year, Apple forced Wylecial’s hand when it came to disclosing the vulnerability publicly.
As for the bug itself, Wylecial said that iOS versions 13.41 and 13.6 as well as macOS Mojave 10.14.16 with Safari 13.1 and macOS Catalina 10.15.5 with Safari 13.1.1 are all affected and there is currently no fix available for the issue.
Hopefully by publishing his findings publicly, Wylecial can convince Apple to expedite fixes for this bug and those disclosed by other security researchers.