A Polish security researcher has revealed a flaw in a cross-browser sharing API that could let attackers steal user files.
The researcher disclosed details of an Apple Safari web browser security hole that could leak files with other browsers & applications & allow exploitation by attackers. The news came only after Apple explained it would delay patching the vulnerability for almost a year! The researcher rated the bug as “not very serious”.
Web Share API
Pawel Wylecial, Co-Founder of REDTEAM.PL flagged the issue. He blamed this bug on Safari’s implementation of the Web Share API, mentions a blog post on Mon. outlining his work. The quite new API lets users share links from the browser via 3rd-party applications, e.g. those distributed via mail & messaging apps.
Core issue is the implementation’s file: scheme in both the mobile & desktop versions of Safari, which gives access to files stored on the user’s local hard drive.
Unknowingly, they can share personal files or data with a bad site, while believing they are only sharing an article or link with friends, Wylecial explained.
Local File Disclosure
“The problem is that file: scheme is allowed, & when a website points to such URL unexpected behaviour occurs,” Wylecial explained further.
“In case such a link is passed to the navigator.share function an actual file from the user file system is included in the shared message, which leads to local file disclosure when a user is sharing it unknowingly.”
Wylecial agreed that the “problem is not very serious” because it requires a user to act instead of allowing an attacker to remotely control someone’s system without their knowledge.
However, he observed it’s not difficult to make the shared file ‘invisible’ to the user, comparing the capability the flaw gives an attacker to ‘click-jacking’ in the way it aims “to convince the unsuspecting user to perform some action,” he commented.
That the bug is not highly serious may be irrelevant. Wylecial’s disclosure again highlight’s Apple’s slow approach to patching vulnerabilities discovered by 3rd-party researchers as well as a historically bad relationship with them.
Wylecial reported the bug to Apple on April 17, with the company agreeing 4 days later that they received his report. After much discussion earlier this month, Apple outlined that it would address the issue in the Spring 2021 Safari update, which would be nearly a year after the issue was flagged.
This led to Wylecial revealing his research, he explained. He commented that he told Apple “that waiting with the disclosure for almost an additional year, while 4 months already have passed since reporting the issue, is not reasonable.” Then he went public.
Bug Bounty Program
The disclosure shows the ongoing tension between Apple & security researchers, which many thought was on its way to being solved when the company finally opened its bug bounty program to the public in December 2019, a move announced 4 months before at Black Hat in August.
The revamped public program boosted pay-outs & expanded the platform playing field for researchers over the previous program, which was invite-only with rewards only as high as $200,000 on limited platforms.
Now, researchers can receive up to $1m for the most critical of zero-day flaws on its latest hardware, & between $25,000 to $500,000 for discovering vulnerabilities in range of other products, including Macs, iPhone & iPad, & Apple TV.
Even after these changes, some researchers, including Google’s Project Zero Ian Beer who discovered a number of zero-day iOS flaws, didn’t participate in the Apple bug bounty program.