Security Experts:

Connect with us

Hi, what are you looking for?



Unpatched Safari Vulnerability Allows Theft of Local Files

A researcher has disclosed the details of an unpatched vulnerability in Apple’s Safari web browser that can be exploited to steal files from a targeted user’s system.

A researcher has disclosed the details of an unpatched vulnerability in Apple’s Safari web browser that can be exploited to steal files from a targeted user’s system.

The issue was discovered in April by Pawel Wylecial, a Poland-based security researcher and founder of cybersecurity services companies REDTEAM.PL and BlackOwlSec. Apple said at the time that it had started investigating the issue, but the tech giant told Wylecial in mid-August that it would only address it with a security update in the spring of 2021.

Apple asked the researcher to hold off disclosure until then, but Wylecial decided that it was too long and made his findings public this week.

The vulnerability is related to the Web Share API, which allows users to share links from Safari through third-party apps (e.g. email and messaging software).

“The problem is that file: scheme is allowed and when a website points to such URL unexpected behavior occurs. In case such a link is passed to the navigator.share function an actual file from the user file system is included in the shared message which leads to local file disclosure when a user is sharing it unknowingly,” Wylecial explained in a blog post.

Launching an attack requires convincing the targeted user to visit a malicious website and performing certain actions, but the researcher has described an attack scenario that could be successful.

He set up a website containing an image of a kitten and urging visitors to share it with their friends using a dedicated button on the page. When the user presses the button, they are asked to select the application they want to use to share a link to the image. If they send it via email, the attacker’s code, in addition to adding the image URL, attaches an arbitrary file from the victim’s system.

Wylecial showed how the attacker can steal the local passwd file or a file storing the user’s browsing history. He pointed out that in some cases, depending on the application they use, the victim is unlikely to notice that a file has been attached to the email — they would have to scroll down to see the attachment — or the name of the attachment may not be displayed, which increases the hack’s chances of success.

Wylecial says he has tested the attack on devices running iOS 13.4.1 and 13.6, macOS Mojave 10.14.16 with Safari 13.1, and on macOS Catalina 10.15.5 with Safari 13.1.1.

SecurityWeek has reached out to Apple for comment and will update this article if the company responds.

Related: Zero-Day Vulnerabilities in iOS Mail App Exploited in Targeted Attacks

Related: Apple Finds No Evidence of Attacks Targeting iOS Mail App Vulnerabilities

Related: Apple Patches Recent iPhone Jailbreak Zero-Day

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.