According to researchers, the issue exists on both macOS and iOS.
Being one of the major web browsers, Safari browser gets its fair share of scrutiny from cybersecurity professionals. In the latest, researcher Pawel Wylecial from REDTEAM.PL has discovered a vulnerability in the browser that would allow an attacker to steal user files.
Reported to Apple on 17 April earlier this year, Apple continued to delay the issue despite the researcher repeatedly asking for status updates. Finally, on 14 August, Apple stated that they would fix the issue next year by Spring in response to which the flaw was disclosed on 24 August seeing that it is unreasonable to take so much time to fix a bug.
To start with the vulnerability; the issue was identified in how Apple implements the new Web Share API in which users could share files from their computer with the “file:” extension. However, when users do share such a URL, this is where the problem starts. As Pawel explains in a blog post,
In case such a link is passed to the navigator.share function an actual file from the user file system is included in the shared message which leads to local file disclosure when a user is sharing it unknowingly.
This could be a highly sensitive file such as one containing passwords and therefore compromise the user. Nonetheless, the researcher has stated that this flaw in itself does not become fatal due to user interaction being required which makes social engineering a pre-requisite in such an attack – far from an automated one.
A caveat is that the attacker could also make the file seem invisible to the victim making it difficult for the latter to counter such an attack. An example is given of Mail.app on MacOS in which the file is not seen until the victim scrolls down to the very bottom – something very few people would do if the email is a very short one.
Furthermore, on the Messages app, no filename is found making it even more likely for the user to ignore it as something insignificant even if they notice it.
However, this isn’t limited to Apple’s own apps on macOS and iOS either. If we have a look at the Gmail app, the filename gets changed to display random digits as shown below:
To conclude, this remains another example of how sometimes even the most well equipped of companies could have lax measures in place to address security grievances.
If Apple is serious about protecting users, it should review its internal policies to make sure all bugs are patched within an acceptable timeframe.
And for those of you wondering, this isn’t a one-off incident either, Apple has a habit of doing so as well reflected on Twitter. In one such tweet, a security researcher revealed reporting a bug to Apple in June 2019 to which Apple responded that it will be fixed in the fall of 2020.
The other researcher tweeted that they reported two bugs to which Apple confirmed expecting a fix in the fall of 2020 as well. However, when inquired by the researcher earlier this week the tech giant rubbished their reports by claiming it is not even a bug.
For two of my bugs they've told me same thing that it will be fixed on "Fall of 2020" and yesterday I ask for the update. They replied it's not a bug 😅
— Nikhil Mittal (@c0d3G33k) August 24, 2020