A safety researcher has revealed particulars immediately a couple of Safari browser bug that might be abused to leak or steal recordsdata from customers’ units.
The bug was found by Pawel Wylecial, co-founder of Polish safety agency REDTEAM.PL.
Wylecial initially reported the bug to Apple earlier this spring, in April, however the researcher determined to go public along with his findings immediately after the OS maker delayed patching the bug for nearly a yr, to the spring of 2021.
How does the bug work
In a blog post immediately, Wylecial stated the bug resides in Safari’s implementation of the Web Share API — a brand new net customary that launched a cross-browser API for sharing textual content, hyperlinks, recordsdata, and different content material.
The safety researcher says that Safari (on each iOS and macOS) helps sharing recordsdata which might be saved on the consumer’s native onerous drive (through the file:// URI scheme).
It is a large privateness difficulty as this might result in conditions the place malicious net pages may invite customers to share an article through electronic mail with their associates, however find yourself secretly siphoning or leaking a file from their gadget.
See the video under for an indication of the bug, or play with these two demo pages that may exfiltrate a Safari consumer’s /etc/passwd or browser history database recordsdata.
Wylecial described the bug as “not very critical” as consumer interplay and complicated social engineering is required to trick customers into leaking native recordsdata; nonetheless, he additionally admitted that it was additionally fairly simple for attackers “to make the shared file invisible to the consumer.”
Latest criticism of Apple’s patch dealing with
Nonetheless, the true difficulty right here isn’t just the bug itself and the way simple or advanced it’s to use it, however how Apple dealt with the bug report.
Not solely did Apple fail to have a patch prepared in time after greater than 4 months, however the firm additionally tried to delay the researcher from publishing his findings till subsequent spring, nearly a full yr because the unique bug report, and well beyond the usual 90-days vulnerability disclosure deadline that is broadly accepted within the infosec business.
Conditions just like the one Wylecial needed to face have gotten more and more widespread amongst iOS and macOS bug hunters today.
Apple — regardless of saying a devoted bug bounty program — is more and more being accused of delaying bugs on function and making an attempt to silence safety researchers.
For instance, when Wylecial disclosed his bug earlier immediately, different researchers reported comparable conditions the place Apple delayed patching safety bugs they reported for greater than a yr.
When in July, Apple introduced the foundations of the Safety Analysis System program, Google’s vaunted Undertaking Zero safety crew declined to take part, claiming that this system guidelines had been particularly written to restrict public disclosure and muzzle safety researchers about their findings.
Three months earlier than, in April, one other safety researcher additionally reported the same expertise with Apple’s bug bounty program, which he described as “a joke,” describing this system’s objective as making an attempt “to maintain researchers quiet about bugs for so long as doable.”
An Apple spokesperson acknowledged our request for remark earlier immediately however stated the corporate would not be capable to remark, because it wanted to analyze additional.