#BugAlert: Security flaw flagged in Safari, but Apple delayed patch
Apple's Safari browser has been taking on Google Chrome with its promise of safety and security, but that does not mean it is totally bug-proof.
The platform has run into several issues in the past, and now, a researcher claims it carries a bug that can be exploited to leak or steal private files from iOS or macOS devices.
Here's all about it.
Problem with Web Share API implementation
During an in-depth analysis of Safari, Pawel Wylecial, the co-founder of Polish security firm REDTEAM.PL, found a problem with the browser's implementation of Web Share API, a standard generally used for sharing links/files hosted on the web via third-party apps. The researcher noted that the API not just allowed web-based sharing but also, in some cases, shared files from the local hard drive.
Issue ties to specific scheme
As Wylecial delved into the matter, he found that the bug was associated with the use of "file:// URI" scheme in the implementation of Web Share API. This, he said, opened a way for threat actors to lure unsuspecting users into sharing content from seemingly legitimate (but actually malicious) pages and stealing or leaking their data in the process.
The researcher also demonstrated the bug
To show the risk from the API in question, the researcher shared a video demonstrating how the flaw could be exploited. On top of that, he also created two malicious pages that could compromise a Safari user's /etc/passwd or browser history database files. All the target has to do is hit the share button and proceed with sharing a seemingly innocuous photo/video/link.
Patch delayed until 2021
Disturbingly though, Wylecial reported the bug to Apple in April, but the company pushed its fix to the spring of 2021. So, the researcher took it upon himself and published the details of the flaw, complete with a proof-of-concept, to warn the iOS and macOS users. Notably, other researchers have also claimed that Apple has delayed patches for bugs they had flagged by months.
Here's what one bug reporter said
I reported one issue in June 2019. It will be fixed on "Fall of 2020" 😅
— Wojciech Reguła (@_r3ggi) August 24, 2020
This brings Apple's bug-handling into question
The delayed patch brings Apple's handling of security issues into question. Wylecial says the flaw might not be serious, given that it requires user interaction and social engineering, but threat actors are becoming extremely creative and could easily use it to their advantage. Hopefully, Apple takes another look at the matter and issues at least some mitigations to prevent that from happening.
