#BugAlert: Security flaw flagged in Safari, but Apple delayed patch

During an in-depth analysis of Safari, Pawel Wylecial, the co-founder of Polish security firm REDTEAM.PL, found a problem with the browser's implementation of Web Share API, a standard generally used for sharing links/files hosted on the web via third-party apps.

The researcher noted that the API not just allowed web-based sharing but also, in some cases, shared files from the local hard drive.

As Wylecial delved into the matter, he found that the bug was associated with the use of "file:// URI" scheme in the implementation of Web Share API.

This, he said, opened a way for threat actors to lure unsuspecting users into sharing content from seemingly legitimate (but actually malicious) pages and stealing or leaking their data in the process.

To show the risk from the API in question, the researcher shared a video demonstrating how the flaw could be exploited.

On top of that, he also created two malicious pages that could compromise a Safari user's /etc/passwd or browser history database files. All the target has to do is hit the share button and proceed with sharing a seemingly innocuous photo/video/link.

Disturbingly though, Wylecial reported the bug to Apple in April, but the company pushed its fix to the spring of 2021.

So, the researcher took it upon himself and published the details of the flaw, complete with a proof-of-concept, to warn the iOS and macOS users.

Notably, other researchers have also claimed that Apple has delayed patches for bugs they had flagged by months.

The delayed patch brings Apple's handling of security issues into question.

Wylecial says the flaw might not be serious, given that it requires user interaction and social engineering, but threat actors are becoming extremely creative and could easily use it to their advantage.

Hopefully, Apple takes another look at the matter and issues at least some mitigations to prevent that from happening.