A researcher has disclosed the details of an unpatched vulnerability in Apple’s Safari web browser that can be exploited to steal files from a targeted user’s system.
The issue was discovered in April by Pawel Wylecial, a Poland-based security researcher and founder of cybersecurity services companies REDTEAM.PL and BlackOwlSec. Apple said at the time that it had started investigating the issue, but the tech giant told Wylecial in mid-August that it would only address it with a security update in the spring of 2021.
Apple asked the researcher to hold off disclosure until then, but Wylecial decided that it was too long and made his findings public this week.
The vulnerability is related to the Web Share API, which allows users to share links from Safari through third-party apps (e.g. email and messaging software).
“The problem is that file: scheme is allowed and when a website points to such URL unexpected behavior occurs. In case such a link is passed to the navigator.share function an actual file from the user file system is included in the shared message which leads to local file disclosure when a user is sharing it unknowingly,” Wylecial explained in a blog post.
Launching an attack requires convincing the targeted user to visit a malicious website and performing certain actions, but the researcher has described an attack scenario that could be successful.
He set up a website containing an image of a kitten and urging visitors to share it with their friends using a dedicated button on the page. When the user presses the button, they are asked to select the application they want to use to share a link to the image. If they send it via email, the attacker’s code, in addition to adding the image URL, attaches an arbitrary file from the victim’s system.
Wylecial showed how the attacker can steal the local passwd file or a file storing the user’s browsing history. He pointed out that in some cases, depending on the application they use, the victim is unlikely to notice that a file has been attached to the email — they would have to scroll down to see the attachment — or the name of the attachment may not be displayed, which increases the hack’s chances of success.
Wylecial says he has tested the attack on devices running iOS 13.4.1 and 13.6, macOS Mojave 10.14.16 with Safari 13.1, and on macOS Catalina 10.15.5 with Safari 13.1.1.
SecurityWeek has reached out to Apple for comment and will update this article if the company responds.
Related: Zero-Day Vulnerabilities in iOS Mail App Exploited in Targeted Attacks
Related: Apple Finds No Evidence of Attacks Targeting iOS Mail App Vulnerabilities