Safari vulnerability disclosed after Apple pushes fix to Spring 2021

The Web Share API flaw can be exploited to attach system files, including web browsing history

The Safari logo displayed on an iPhone screen

A vulnerability in Apple’s Web Share API, used to share Safari links through third-party apps, has been publicly disclosed after Apple said it wouldn’t release a fix until Spring 2021.

The Web Share API allows users to share links to elements, such as photos, from the Safari browser through third-party applications, including any email client. A flaw found in this integration, however, could allow a hacker to configure a malicious site to attach system files to an email, in addition to the link being shared.

The bug has been disclosed by researcher Pawel Wylecial four months after he first brought it to Apple’s attention, and after the company confirmed that it would be releasing a fix but that this wouldn't be available until at least Spring 2021.

The vulnerability was tested on iOS 13.4.1 and 13.6, macOS Mojave 10.14.16 with Safari 13.1 and on macOS Catalina 10.15.5 with Safari 13.1.1, although other versions of Apple iPhone and Mac operating systems, and Safari, may be affected.

Wylecial first discovered the vulnerability on 17 April and reported this Apple four days later. Although Apple suggested it would investigate the issue, a back-and-forth exchange ensued over the next few months with few or no updates.

The researcher asked for another status update on 21 July and asked if the firm needed more time to investigate, adding he would disclose the flaw after 24 July if there were no further replies or objections. The company responded suggesting it was still investigating and would follow up as soon as it had an update.

Wylecial then set the disclosure date of 24 August at the start of the month, and asked Apple for another status update. The company asked him not to publish the details, as it was planning on addressing the issue in the Spring 2021 security update.

Related Resource

Introducing VMDR: Vulnerability Management, Detection and Response

The all-in-one vulnerability management service

Download now

The researcher finally published the flaw on cue as he felt waiting for almost an additional year, after four months had already elapsed since the vulnerability was first reported, was unreasonable.

Wylecial set up a proof-of-concept site for his testing, where he exploited the flaw in the API integration to attach a user’s ‘etc/passwd file’ to an email when sharing a photo through email. This file is a text file that contains the attributes of each user on a machine running Linux or another Unix-like operating system. 

He also demonstrated the exploit by showing that a user’s browsing history can be exfiltrated and subsequently read through the Safari web browser.

While the flaw is described as “not serious”, given it requires user interaction in order to successfully exploit, Apple’s apparent sluggishness in fixing it could be of some concern for security researchers.

Apple's new iPhone bug bounty programme has come under similar scrutiny, with some expressing concern over the company's strict disclosure policies that effectively muzzle researchers until Apple sets a date. This deviates notably from the standard 90-day disclosure practice adopted by many companies in the industry.

Featured Resources

How to scale your organisation in the cloud

How to overcome common scaling challenges and choose the right scalable cloud service

Download now

The people factor: A critical ingredient for intelligent communications

How to improve communication within your business

Download now

Future of video conferencing

Optimising video conferencing features to achieve business goals

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Recommended

Malicious ‘Dependency Confusion’ packages are stealing password files
hacking

Malicious ‘Dependency Confusion’ packages are stealing password files

2 Mar 2021
AOL users are the target of a new phishing campaign
phishing

AOL users are the target of a new phishing campaign

1 Mar 2021
Lazarus APT hacking group is targeting the defense industry
Security

Lazarus APT hacking group is targeting the defense industry

26 Feb 2021
FedEx and DHL phishing emails target Microsoft users
phishing

FedEx and DHL phishing emails target Microsoft users

24 Feb 2021

Most Popular

How to connect one, two or more monitors to your laptop
Laptops

How to connect one, two or more monitors to your laptop

25 Feb 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

26 Feb 2021
Ransomware operators are exploiting VMware ESXi flaws
ransomware

Ransomware operators are exploiting VMware ESXi flaws

1 Mar 2021