Safari Bug Revealed After Apple Takes Nearly a Year to Patch: Polish security researcher unveiled the flaw in a cross-browser sharing API that could allow attackers to steal user files.
Polish security researcher unveiled the flaw in a cross-browser sharing API that could allow attackers to steal user files.
A security researcher disclosed details of an Apple Safari web browser security hole that could leak files with other browsers and applications and open the door to exploitation by attackers. The disclosure came only after Apple said it would delay patching the vulnerability for nearly a year. For context, researcher rated the bug as “not very serious”.
Polish security researcher Pawel Wylecial, co-founder of REDTEAM.PL unveiled the flaw. He attributed the bug to Safari’s implementation of the Web Share API, according to a blog post outlining his finding on Monday. The API, which is relatively new, allows users to share links from the browser via third-party applications, such as those distributed via mail and messaging apps.
The problem lies in that the implementation’s file: scheme on both the mobile and desktop versions of Safari which allows access to files stored on the user’s local hard drive. This can lead to someone unknowingly sharing personal files or data with a malicious site when assuming they are only sharing an article or link with their friends, Wylecial wrote.
“The problem is that file: scheme is allowed, and when a website points to such URL unexpected behavior occurs,” Wylecial explained in his post. “In case such a link is passed to the navigator.share function an actual file from the user file system is included in the shared message, which leads to local file disclosure when a user is sharing it unknowingly
At [email protected], Luta Security CEO Katie Moussouris stressed that bug bounty programs aren't a 'silver bullet' for security teams.
Ethical hackers so far have earned nearly $300K in payouts from the Apple bug-bounty program for discovering 55 bugs, 11 of them critical, during a three-month hack. The wormable iCloud bug is a cross-site scripting (XSS) issue, according to the writeup.
Apple's Security Research Device program is now open to select bug bounty hunters.
The move is a distinct change in direction for the app, which has been criticized and even banned for its security practices. To submit bugs to be evaluated under the program, researchers can use an online form, Wu said.
Top Web & Mobile Application Development Company in India & USA. We specialize in Golang, Ruby on Rails, Symfony, Laravel PHP, Python, Angular, Mobile Apps, Blockchain, & Chatbots