Safari Bug Revealed After Apple Takes Nearly a Year to Patch

Polish security researcher unveiled the flaw in a cross-browser sharing API that could allow attackers to steal user files.

A security researcher disclosed details of an Apple Safari web browser security hole that could leak files with other browsers and applications and open the door to exploitation by attackers. The disclosure came only after Apple said it would delay patching the vulnerability for nearly a year. For context, researcher rated the bug as “not very serious”.

Polish security researcher Pawel Wylecial, co-founder of REDTEAM.PL unveiled the flaw. He attributed the bug to Safari’s implementation of the Web Share API, according to a blog post outlining his finding on Monday. The API, which is relatively new, allows users to share links from the browser via third-party applications, such as those distributed via mail and messaging apps.

The problem lies in that the implementation’s file:  scheme on both the mobile and desktop versions of Safari which allows access to files stored on the user’s local hard drive. This can lead to someone unknowingly sharing personal files or data with a malicious site when assuming they are only sharing an article or link with their friends, Wylecial wrote.

“The problem is that file:  scheme is allowed, and when a website points to such URL unexpected behavior occurs,” Wylecial explained in his post. “In case such a link is passed to the navigator.share function an actual file from the user file system is included in the shared message, which leads to local file disclosure when a user is sharing it unknowingly.”

Wylecial acknowledged that the “problem is not very serious” because it requires a user to take action rather than allowing an attacker to remotely control someone’s system without their knowledge.

However, he said it’s not difficult to make the shared file invisible to the user, comparing the capability the flaw gives an attacker to clickjacking in the way it aims “to convince the unsuspecting user to perform some action,” he said.

That the bug is not super-serious may not be the point, however. Wylecial’s disclosure once again highlight’s Apple’s lackluster approach to patching vulnerabilities discovered by third-party researchers as well as a historically chilly relationship with them.

Wylecial reported the bug to Apple on April 17 of this year, with the company acknowledging four days later that they received his report. After much back and forth, earlier this month Apple said it would address the issue in the Spring 2021 update to Safari, which would be nearly a year after the issue was reported.

This prompted Wylecial to reveal his research, he said. The researcher said he told Apple “that waiting with the disclosure for almost an additional year, while four months already have passed since reporting the issue, is not reasonable.” He then went public with his research.

Indeed, the disclosure shows the ongoing tension between Apple and security researchers, which many thought was on its way to being solved when the company finally opened its bug bounty program to the public in December 2019, a move announced four months before at Black Hat in August.

The revamped public program boosted payouts and expanded the platform playing field for researchers over the previous program, which was invite-only with rewards only as high as $200,000 on limited platforms. Now researchers can receive up to $1 million for the most critical of zero-day flaws on its latest hardware, and between $25,000 to $500,000 for discovering vulnerabilities in range of other products, including Macs, iPhone and iPad, and Apple TV.

Even after the changes, however, some notable researchers, including Google’s Project Zero Ian Beer—known for discovering a number of zero-day iOS flaws–balked at participating in the Apple bug bounty program.

On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Resister today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.

Suggested articles