IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Safari vulnerability disclosed after Apple pushes fix to Spring 2021

The Web Share API flaw can be exploited to attach system files, including web browsing history

A vulnerability in Apple’s Web Share API, used to share Safari links through third-party apps, has been publicly disclosed after Apple said it wouldn’t release a fix until Spring 2021.

The Web Share API allows users to share links to elements, such as photos, from the Safari browser through third-party applications, including any email client. A flaw found in this integration, however, could allow a hacker to configure a malicious site to attach system files to an email, in addition to the link being shared.

The bug has been disclosed by researcher Pawel Wylecial four months after he first brought it to Apple’s attention, and after the company confirmed that it would be releasing a fix but that this wouldn't be available until at least Spring 2021.

The vulnerability was tested on iOS 13.4.1 and 13.6, macOS Mojave 10.14.16 with Safari 13.1 and on macOS Catalina 10.15.5 with Safari 13.1.1, although other versions of Apple iPhone and Mac operating systems, and Safari, may be affected.

Wylecial first discovered the vulnerability on 17 April and reported this Apple four days later. Although Apple suggested it would investigate the issue, a back-and-forth exchange ensued over the next few months with few or no updates.

The researcher asked for another status update on 21 July and asked if the firm needed more time to investigate, adding he would disclose the flaw after 24 July if there were no further replies or objections. The company responded suggesting it was still investigating and would follow up as soon as it had an update.

Wylecial then set the disclosure date of 24 August at the start of the month, and asked Apple for another status update. The company asked him not to publish the details, as it was planning on addressing the issue in the Spring 2021 security update.

Related Resource

Introducing VMDR: Vulnerability Management, Detection and Response

The all-in-one vulnerability management service

Download now

The researcher finally published the flaw on cue as he felt waiting for almost an additional year, after four months had already elapsed since the vulnerability was first reported, was unreasonable.

Wylecial set up a proof-of-concept site for his testing, where he exploited the flaw in the API integration to attach a user’s ‘etc/passwd file’ to an email when sharing a photo through email. This file is a text file that contains the attributes of each user on a machine running Linux or another Unix-like operating system. 

He also demonstrated the exploit by showing that a user’s browsing history can be exfiltrated and subsequently read through the Safari web browser.

While the flaw is described as “not serious”, given it requires user interaction in order to successfully exploit, Apple’s apparent sluggishness in fixing it could be of some concern for security researchers.

Apple's new iPhone bug bounty programme has come under similar scrutiny, with some expressing concern over the company's strict disclosure policies that effectively muzzle researchers until Apple sets a date. This deviates notably from the standard 90-day disclosure practice adopted by many companies in the industry.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Most Popular

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
The UK's best cities for tech workers in 2022
Business strategy

The UK's best cities for tech workers in 2022

24 Jun 2022
Carnival hit with $5 million fine over cyber security violations
cyber security

Carnival hit with $5 million fine over cyber security violations

27 Jun 2022