Expert discloses unpatched Safari flaw that allows stealing local files

A researcher disclosed technical details of an unpatched vulnerability in Apple’s Safari web browser that can be exploited to steal files from the targeted system.

An expert disclosed the details of an unpatched vulnerability in Apple’s Safari web browser that can be exploited by attackers to steal files from a targeted system.

The vulnerability was discovered in April by the security researcher Pawel Wylecial, founder of security firms REDTEAM.PL and BlackOwlSec. In August, after months of analysis, Apple told the researchers that it would address the issue in the spring of 2021 and asked him to don’t publicly disclose the issue until then,

However, Wylecial opted to disclose his discovery to force the company in addressing the issue earlier.

The vulnerability resides in the Web Share API that allows users to share links from Safari through third-party apps, such as email and messaging apps.

“The problem is that file: scheme is allowed and when a website points to such URL unexpected behavior occurs. In case such a link is passed to the navigator.share function an actual file from the user file system is included in the shared message which leads to local file disclosure when a user is sharing it unknowingly,” Wylecial wrote in a blog post. “The problem is not very serious as user interaction is required, however it is quite easy to make the shared file invisible to the user. The closest comparison that comes to mind is clickjacking as we try to convince the unsuspecting user to perform some action.”

In order to exploit the issue, the attacker have to trick the victims into visiting a malicious website and performing a specific sequence of actions.

The researchers set up a malicious website to demonstrate an attack to steal the local passwd file or a file storing the user’s browsing history. The website includes an image an a message that requests visitors to share it with their friends using a button on the same page. Upon clicking the button, users are asked to select the application they want to use to share a link to the image. Sharing the image via email, the attacker’s code, also attache an arbitrary file from the target’s system.

Wylecial pointed out that the victims would have to scroll down to see the attached file or is some cases the name of the attachment may not be displayed, making harder the attack to be spotted.

The attack works on devices running iOS 13.4.1 and 13.6, macOS Mojave 10.14.16 with Safari 13.1, and on macOS Catalina 10.15.5 with Safari 13.1.1.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Safari)

[adrotate banner=”5″]

[adrotate banner=”13″]