A researcher has recently disclosed a bug publicly that affects the Safari browser after Apple attempted to delay the fix.
Safari Bug Allows Stealing Data
Reportedly, security researcher Pawel Wylecial discovered a serious Apple Safari bug. The vulnerability, upon exploitation, can allow stealing local data from the victims.
Sharing the details in a post, the researcher revealed that the bug exists within the Web Share API. It allows sharing links or files directly from the browser via third-party apps such as email or messaging applications.
Thus, it becomes for an adversary to trick a victim into sharing a malicious link or a file to steal local files from the victim’s device.
As described in his post,
The problem is that file: scheme is allowed and when a website points to such URL unexpected behavior occurs. In case such a link is passed to the navigator.share function an actual file from the user file system is included in the shared message which leads to local file disclosure when a user is sharing it unknowingly.
The following video demonstrates how the bug allows stealing data upon an exploit. As shown, sharing a seemingly harmless image leads to inadvertent disclosure of the whole browsing history because of the embedded malicious code.
Apple Delayed The Fix For About A Year
The researcher discovered the bug in April 2020. Right after this discovery, he reached out to Apple to report the matter.
While they did acknowledge the bug, they didn’t deploy a fix for it. And, as revealed by the researcher, Apple pushed the release date for a fix to Spring 2021 – one year from the disclosure.
Hence, the disgruntled researcher stepped up to disclose the bug publicly.
Though, this isn’t the first time that Apple has been giving such a response to security reports for quite some time. Some researchers even shared their experiences in response to Wylecial’s tweet.
I reported one issue in June 2019. It will be fixed on "Fall of 2020" 😅
— Wojciech Reguła (@_r3ggi) August 24, 2020
For two of my bugs they've told me same thing that it will be fixed on "Fall of 2020" and yesterday I ask for the update. They replied it's not a bug 😅
— Nikhil Mittal (@c0d3G33k) August 24, 2020
For now, the bug remains unpatched. Hence, users should remain very careful while clicking on links or sharing images.
Though, since the bug is now publicly disclosed, we may expect a quick fix from the tech giant.
Recently, a similar incident happened with Google as well that patched a Gmail bug within seven hours of public disclosure after initially delaying it for months.
Let us know your thoughts in the comments.