A polish security researcher has just disclosed the details of a Safari web browser security vulnerability that could leak files with other browsers and applications and open the door to exploitation by attackers.
Even though the researcher himself said that the bug “wasn’t too serious”, Apple – Safari’s developer – has decided to delay a security patch for over a year.
Pawel Wylecial, co-founder of REDTEAM.PL, is the man behind the discovery.
He attributed the bug to Safari’s implementation of the Web Share API, according to an article the researcher wrote recently detailing his findings.
This API, which is relatively new, has been designed to allow users to share links from the browser via third-party applications like email clients and instant messaging applications like WhatsApp and Telegram.
The issue that has emerged lies in that the implementation’s file: scheme on both the mobile and desktop versions of Safari which allows access to files stored on the user’s local hard drive.
This can lead to someone unknowingly sharing personal files or data with a malicious site when assuming they are only sharing an article or link with their friends.
“The problem is that file: scheme is allowed, and when a website points to such URL unexpected behavior occurs,” Wylecial explained in his post. “In case such a link is passed to the navigator.share function an actual file from the user file system is included in the shared message, which leads to local file disclosure when a user is sharing it unknowingly.”
The researcher explained and acknowledged that the “problem is not very serious” because it requires a user to take action rather than allowing an attacker to remotely control someone’s system without their knowledge.
However, he said it’s not difficult to make the shared file invisible to the user, comparing the capability the flaw gives an attacker to clickjacking in the way it aims “to convince the unsuspecting user to perform some action,” he said.
A question of time
The bug itself maybe not as critical, but we have to consider that Wylecial reported it to Apple on April 17 of this year, with the company acknowledging four days later that they received his report. After much back and forth, earlier this month Apple said it would address the issue in the Spring 2021 update to Safari, which would be nearly a year after the issue was reported.
This highlights the uneasy relationships between Apple and security researchers, even after a revamped bug hunting program was launched earlier this year .