After being frustrated with Apple’s long timeline for issuing a patch, a security researcher has released details of a bug in Safari on both iOS and macOS that allows an attacker to extract sensitive information from a victim’s machine through the web share API in the browser.
The API is designed to allow individuals to share content from their browsers through other apps, such as email or messaging apps. Security researcher Pawel Wylecial discovered that the API has some odd behavior that enables an attacker to hide some functionality from the victim, specifically the ability to share a file without the victim’s knowledge.
“The problem is that file: scheme is allowed and when a website points to such URL unexpected behavior occurs. In case such a link is passed to the navigator.share function an actual file from the user file system is included in the shared message which leads to local file disclosure when a user is sharing it unknowingly,” Wylecial said in a post on the vulnerability.
After looking into the behavior, Wylecial found that by creating a specially designed website with the web share API enabled, he could extract a file such as the password file from the victim’s machine and share it if the victim clicked on the share link. For example, if the victim chooses to share the link via the Messages app on macOS, the attachment in the window that opens has no file name, so the victim would not immediately realize what content was being shared.
He also found that he could grab a victim’s browsing history from Safari on iOS using the same vulnerability.
“I thought about a more useful scenario on how this bug could be used to extract sensitive information as a passwd file is only good for demonstration. It had to be something accessible from Safari app so browser history seemed like a good candidate to exfiltrate. In order to achieve that we only needed to change the url value to the following: file:///private/var/mobile/Library/Safari/History.db,” he said.
Wylecial discovered the issue in April and reported it to Apple on April 17. The company acknowledged the report a few days later and said it would investigate. But after a few weeks of communication, Wylecial said that Apple stopped replying to his requests for status updates. In early August Wylecial informed Apple that he planned to disclose the bug on Aug. 24, and a few days later Apple asked Wylecial to delay his disclosure because the company planned to fix the issue in its spring 2021 security update. Wyclecial replied that “waiting with the disclosure for almost an additional year, while 4 months already have passed since reporting the issue is not reasonable”.
He disclosed the vulnerability on Monday and on Tuesday an Apple engineer committed a patch for the issue to the WebKit project, the framework on which Safari is built. Wylecial said he has not had a chance to analyze the patch yet and has not heard anything more from Apple since disclosing the flaw.