Flaw In Safari Browser Could Let Hackers Steal Your Files, Apple Delays Patch

A security researcher on Monday published details about a Safari data leak bug that can allow an attacker to steal files from iOS and Mac devices.ย 

Pawel Wylecial, a co-founder of Polish security firm REDTEAM.PL, first discovered the bug on April 17 and reported to Apple, which was acknowledged by them on April 21. However, the tech giant continued to delay the issue despite repeated follow-ups by the researcher for status updates.ย 

On August 14, Apple finally replied to Wylecial asking him to withhold the details as they plan to address the issue in the Spring 2021 security update. Therefore, on August 24, the researcher decided to go public with his findings as he found the timeline proposed by Apple to patch the bug unreasonable.ย 

HOW DOES THE BUG WORK?

The bug is rooted in Apple’s Web Share API – a new web standard that introduced a cross-browser API for sharing text, links, files, and other content, reportsย ZDNet.ย ย 

In aย blog post on Monday, Wylecial said that the problem is that file: scheme is allowed, and when a website points to such URL unexpected behavior occurs. In case such a link is passed to the navigator.share function an actual file from the user file system is included in the shared message which leads to local file disclosure when a user is sharing it unknowingly.ย ย 

Wylecial has described the bug as โ€œnot very seriousโ€, as user interaction is required to enable the potential data leak.

However, he said it is very easy to make the shared file invisible to the users, comparing the ability of the flaw gives an attacker to clickjacking in the way it aims โ€œto convince the unsuspecting user to perform some action.โ€ย 

 

As pointed out by ZDNet, it was the way in which Apple dealt with Wylecialโ€™s bug report. Generally, security researchers give companies a full 90 days before disclosing their findings to the public.

However, when Apple revealed that they wonโ€™t patch the vulnerability until Spring 2021, Wylecial decided to go ahead and disclose it publicly.ย ย 

The bug presently affects iOS (13.4.1, 13.6), macOS Mojave 10.14.16 with Safari 13.1 (14609.1.20.111.8), and macOS Catalina 10.15.5 with Safari 13.1.1 (15609.2.9.1.2).

Subscribe to our newsletter

To be updated with all the latest news

Kavita Iyer
Kavita Iyerhttps://www.techworm.net
An individual, optimist, homemaker, foodie, a die hard cricket fan and most importantly one who believes in Being Human!!!

Subscribe to our newsletter

To be updated with all the latest news

Read More

Suggested Post