CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Unpatched Safari Vulnerability Allows Theft of Local Files

A researcher has disclosed the details of an unpatched vulnerability in Apple’s Safari web browser that can be exploited to steal files from a targeted user’s system.

A researcher has disclosed the details of an unpatched vulnerability in Apple’s Safari web browser that can be exploited to steal files from a targeted user’s system.

The issue was discovered in April by Pawel Wylecial, a Poland-based security researcher and founder of cybersecurity services companies REDTEAM.PL and BlackOwlSec. Apple said at the time that it had started investigating the issue, but the tech giant told Wylecial in mid-August that it would only address it with a security update in the spring of 2021.

Apple asked the researcher to hold off disclosure until then, but Wylecial decided that it was too long and made his findings public this week.

The vulnerability is related to the Web Share API, which allows users to share links from Safari through third-party apps (e.g. email and messaging software).

“The problem is that file: scheme is allowed and when a website points to such URL unexpected behavior occurs. In case such a link is passed to the navigator.share function an actual file from the user file system is included in the shared message which leads to local file disclosure when a user is sharing it unknowingly,” Wylecial explained in a blog post.

Launching an attack requires convincing the targeted user to visit a malicious website and performing certain actions, but the researcher has described an attack scenario that could be successful.

He set up a website containing an image of a kitten and urging visitors to share it with their friends using a dedicated button on the page. When the user presses the button, they are asked to select the application they want to use to share a link to the image. If they send it via email, the attacker’s code, in addition to adding the image URL, attaches an arbitrary file from the victim’s system.

Wylecial showed how the attacker can steal the local passwd file or a file storing the user’s browsing history. He pointed out that in some cases, depending on the application they use, the victim is unlikely to notice that a file has been attached to the email — they would have to scroll down to see the attachment — or the name of the attachment may not be displayed, which increases the hack’s chances of success.

Advertisement. Scroll to continue reading.

Wylecial says he has tested the attack on devices running iOS 13.4.1 and 13.6, macOS Mojave 10.14.16 with Safari 13.1, and on macOS Catalina 10.15.5 with Safari 13.1.1.

SecurityWeek has reached out to Apple for comment and will update this article if the company responds.

Related: Zero-Day Vulnerabilities in iOS Mail App Exploited in Targeted Attacks

Related: Apple Finds No Evidence of Attacks Targeting iOS Mail App Vulnerabilities

Related: Apple Patches Recent iPhone Jailbreak Zero-Day

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.