A security researcher has discovered a dangerous vulnerability in Safari, and Apple has delayed the release of the patch by almost a year.
A security researcher today released details of a Safari browser bug that could be used to leak or steal files from users’ devices.
The bug was discovered by Paweł Wilecial, co-founder of the Polish security firm REDTEAM.PL.
The researcher originally reported the bug to Apple earlier this spring in April, but the researcher decided to make his findings public today after the OS maker delayed fixing the bug by almost a year, until spring 2021.
How the bug works
In a blog post, Wylecial said the bug is related to the implementation of the Safari Web Share API, a new web standard that introduces a cross-browser API for sharing text, links, files, and other content.
The security researcher says that Safari (on both iOS and macOS) supports sharing files that are stored on the user’s local hard drive (via the file:// URI scheme).
Thus, when a user shares content via email, the user’s local files are attached to the email and sent to the attacker along with the content of the email. These can be, for example, files with browsing history or passwords.
This issue can lead to situations where malicious web pages can trick users into sharing an article via email, but end up secretly downloading files from the device.
To understand how the bug works, watch the demo video below.
Wylecial described the bug as "not very serious", as user interaction and complex social engineering are needed to trick users into giving up local files; however, he also acknowledged that it was fairly easy for attackers to "make a shared file invisible to the user".
However, the real problem here is not only the bug itself and how easy or difficult it is to exploit, but how Apple handled the bug report.
Apple not only failed to produce a patch on time after more than four months, but also tried to delay the researcher from publishing his results until next spring, almost a year from the time the bug was originally reported. The deadline for disclosure of vulnerabilities is 90 days, which is widely accepted in the information technology industry.
Situations like the one that Wylecial had to deal with are becoming more common among iOS and macOS bug hunters these days.
Apple, despite announcing a dedicated bug bounty program, is increasingly accused of deliberately delaying bugs and trying to silence security researchers.
For example, when Wilsial reported his bug today, other researchers reported similar situations where Apple delayed fixing the security bugs they reported for more than a year.
When Apple announced the rules for the Security Research Device program in July, the vaunted Project Zero security team refused to participate, saying the program rules were specifically written to limit public disclosure and silence security researchers about their findings.