Expert discloses unpatched Safari flaw that allows stealing local files

A researcher disclosed technical details of an unpatched vulnerability in Apple’s Safari web browser that can be exploited to steal files from the targeted system.

An expert disclosed the details of an unpatched vulnerability in Apple’s Safari web browser that can be exploited by attackers to steal files from a targeted system.

The vulnerability was discovered in April by the security researcher Pawel Wylecial, founder of security firms REDTEAM.PL and BlackOwlSec. In August, after months of analysis, Apple told the researchers that it would address the issue in the spring of 2021 and asked him to don’t publicly disclose the issue until then,

However, Wylecial opted to disclose his discovery to force the company in addressing the issue earlier.

The vulnerability resides in the Web Share API that allows users to share links from Safari through third-party apps, such as email and messaging apps.

“The problem is that file: scheme is allowed and when a website points to such URL unexpected behavior occurs. In case such a link is passed to the navigator.share function an actual file from the user file system is included in the shared message which leads to local file disclosure when a user is sharing it unknowingly,” Wylecial wrote in a blog post. “The problem is not very serious as user interaction is required, however it is quite easy to make the shared file invisible to the user. The closest comparison that comes to mind is clickjacking as we try to convince the unsuspecting user to perform some action.”

In order to exploit the issue, the attacker have to trick the victims into visiting a malicious website and performing a specific sequence of actions.

The researchers set up a malicious website to demonstrate an attack to steal the local passwd file or a file storing the user’s browsing history. The website includes an image an a message that requests visitors to share it with their friends using a button on the same page. Upon clicking the button, users are asked to select the application they want to use to share a link to the image. Sharing the image via email, the attacker’s code, also attache an arbitrary file from the target’s system.

Wylecial pointed out that the victims would have to scroll down to see the attached file or is some cases the name of the attachment may not be displayed, making harder the attack to be spotted.

The attack works on devices running iOS 13.4.1 and 13.6, macOS Mojave 10.14.16 with Safari 13.1, and on macOS Catalina 10.15.5 with Safari 13.1.1.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Safari)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.