Tomcat
Professional
- Messages
- 2,687
- Reaction score
- 1,036
- Points
- 113
Security researcher Pawel Wylecial has published details about a vulnerability in the Safari browser that can be used to steal files from users' devices.
The problem is related to the implementation in the browser of the Web Share API - a new standard that allows users to share text, files, links and other content. According to the researcher, Safari (both iOS and macOS versions) supports the exchange of files stored on the hard drive (via the file: // URI scheme), as a result, when you send a link to the navigator.share function, a file from the file system is included in the message. which could lead to data leakage.
The vulnerability is not particularly dangerous since it requires user interaction to exploit it, although “it is quite easy to make a file invisible to the user,” the expert noted.
A video demonstrating the operation process is below.
However, the problem is not so much the vulnerability itself or how easy it is to exploit, but rather Apple's attitude towards vulnerability reporting.
Initially, Vyletsyal informed the tech giant about the bug in April this year, but Apple postponed the release of the patch for almost a year - until the spring of 2021. In addition, the company asked the researcher to postpone the publication of information about the vulnerability until next spring, despite the standard period of 90 days adopted in the information security community.
This situation is not unique. Recently, more and more accusations have been made against Apple that the company is deliberately postponing fixing vulnerabilities and trying to keep researchers from publishing data about them. Apple itself has not yet commented on the situation.
The problem is related to the implementation in the browser of the Web Share API - a new standard that allows users to share text, files, links and other content. According to the researcher, Safari (both iOS and macOS versions) supports the exchange of files stored on the hard drive (via the file: // URI scheme), as a result, when you send a link to the navigator.share function, a file from the file system is included in the message. which could lead to data leakage.
The vulnerability is not particularly dangerous since it requires user interaction to exploit it, although “it is quite easy to make a file invisible to the user,” the expert noted.
A video demonstrating the operation process is below.
However, the problem is not so much the vulnerability itself or how easy it is to exploit, but rather Apple's attitude towards vulnerability reporting.
Initially, Vyletsyal informed the tech giant about the bug in April this year, but Apple postponed the release of the patch for almost a year - until the spring of 2021. In addition, the company asked the researcher to postpone the publication of information about the vulnerability until next spring, despite the standard period of 90 days adopted in the information security community.
This situation is not unique. Recently, more and more accusations have been made against Apple that the company is deliberately postponing fixing vulnerabilities and trying to keep researchers from publishing data about them. Apple itself has not yet commented on the situation.
