Page Loader
#BugAlert: Security flaw flagged in Safari, but Apple delayed patch

#BugAlert: Security flaw flagged in Safari, but Apple delayed patch

Aug 25, 2020
06:27 pm

What's the story

Apple's Safari browser has been taking on Google Chrome with its promise of safety and security, but that does not mean it is totally bug-proof. The platform has run into several issues in the past, and now, a researcher claims it carries a bug that can be exploited to leak or steal private files from iOS or macOS devices. Here's all about it.

Issue

Problem with Web Share API implementation

During an in-depth analysis of Safari, Pawel Wylecial, the co-founder of Polish security firm REDTEAM.PL, found a problem with the browser's implementation of Web Share API, a standard generally used for sharing links/files hosted on the web via third-party apps. The researcher noted that the API not just allowed web-based sharing but also, in some cases, shared files from the local hard drive.

Details

Issue ties to specific scheme

As Wylecial delved into the matter, he found that the bug was associated with the use of "file:// URI" scheme in the implementation of Web Share API. This, he said, opened a way for threat actors to lure unsuspecting users into sharing content from seemingly legitimate (but actually malicious) pages and stealing or leaking their data in the process.

Demonstration

The researcher also demonstrated the bug

To show the risk from the API in question, the researcher shared a video demonstrating how the flaw could be exploited. On top of that, he also created two malicious pages that could compromise a Safari user's /etc/passwd or browser history database files. All the target has to do is hit the share button and proceed with sharing a seemingly innocuous photo/video/link.

Fix

Patch delayed until 2021

Disturbingly though, Wylecial reported the bug to Apple in April, but the company pushed its fix to the spring of 2021. So, the researcher took it upon himself and published the details of the flaw, complete with a proof-of-concept, to warn the iOS and macOS users. Notably, other researchers have also claimed that Apple has delayed patches for bugs they had flagged by months.

Twitter Post

Here's what one bug reporter said

Question

This brings Apple's bug-handling into question

The delayed patch brings Apple's handling of security issues into question. Wylecial says the flaw might not be serious, given that it requires user interaction and social engineering, but threat actors are becoming extremely creative and could easily use it to their advantage. Hopefully, Apple takes another look at the matter and issues at least some mitigations to prevent that from happening.