Safari vulnerability disclosed after Apple pushes fix to Spring 2021

The Web Share API flaw can be exploited to attach system files, including web browsing history

The Safari logo displayed on an iPhone screen

A vulnerability in Apple’s Web Share API, used to share Safari links through third-party apps, has been publicly disclosed after Apple said it wouldn’t release a fix until Spring 2021.

The Web Share API allows users to share links to elements, such as photos, from the Safari browser through third-party applications, including any email client. A flaw found in this integration, however, could allow a hacker to configure a malicious site to attach system files to an email, in addition to the link being shared.

The bug has been disclosed by researcher Pawel Wylecial four months after he first brought it to Apple’s attention, and after the company confirmed that it would be releasing a fix but that this wouldn't be available until at least Spring 2021.

The vulnerability was tested on iOS 13.4.1 and 13.6, macOS Mojave 10.14.16 with Safari 13.1 and on macOS Catalina 10.15.5 with Safari 13.1.1, although other versions of Apple iPhone and Mac operating systems, and Safari, may be affected.

Wylecial first discovered the vulnerability on 17 April and reported this Apple four days later. Although Apple suggested it would investigate the issue, a back-and-forth exchange ensued over the next few months with few or no updates.

The researcher asked for another status update on 21 July and asked if the firm needed more time to investigate, adding he would disclose the flaw after 24 July if there were no further replies or objections. The company responded suggesting it was still investigating and would follow up as soon as it had an update.

Wylecial then set the disclosure date of 24 August at the start of the month, and asked Apple for another status update. The company asked him not to publish the details, as it was planning on addressing the issue in the Spring 2021 security update.

Related Resource

Introducing VMDR: Vulnerability Management, Detection and Response

The all-in-one vulnerability management service

Download now

The researcher finally published the flaw on cue as he felt waiting for almost an additional year, after four months had already elapsed since the vulnerability was first reported, was unreasonable.

Wylecial set up a proof-of-concept site for his testing, where he exploited the flaw in the API integration to attach a user’s ‘etc/passwd file’ to an email when sharing a photo through email. This file is a text file that contains the attributes of each user on a machine running Linux or another Unix-like operating system. 

He also demonstrated the exploit by showing that a user’s browsing history can be exfiltrated and subsequently read through the Safari web browser.

While the flaw is described as “not serious”, given it requires user interaction in order to successfully exploit, Apple’s apparent sluggishness in fixing it could be of some concern for security researchers.

Apple's new iPhone bug bounty programme has come under similar scrutiny, with some expressing concern over the company's strict disclosure policies that effectively muzzle researchers until Apple sets a date. This deviates notably from the standard 90-day disclosure practice adopted by many companies in the industry.

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Recommended

Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021

Most Popular

The benefits of workload optimisation
Sponsored

The benefits of workload optimisation

16 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
Six ways boards can step up support for cyber security
Business strategy

Six ways boards can step up support for cyber security

22 Jul 2021