‘Oversharing’ web bug remains unresolved, researcher claims
Security shortcomings in Apple’s Safari Web Share API create a mechanism that potentially allows attackers to steal local files.
The unresolved vulnerability – discovered by security researcher Pawel Wylecial – affects both macOS desktop and iOS smartphone/tablet users (Safari and Mobile Safari).
Wylecial said he reported the issue to Apple in April and, after repeatedly chasing the vendor on the subject, was informed by the tech giant that it only planned to release an update in its April 2021 security update.
Faced with a further long delay, Wylecial went public with his findings about a security flaw he warns could be harnessed in social engineering attacks.
The Polish security researcher compares the issue to a clickjacking vulnerability.
Share and enjoy
The Web Share API allows Safari users to share links from the browser via third-party applications, such as mail and messaging apps.
“The problem is that file: scheme is allowed and when a website points to such URL unexpected behavior occurs,” Wylecial explains in a blog post.
“In case such a link is passed to the navigator.share function an actual file from the user file system is included in the shared message which leads to local file disclosure.”
Although some user interaction is required to carry out an exploit, Wylecial warns that this barrier is far from insurmountable, since it is “quite easy to make the shared file invisible to the user”.
“The closest comparison that comes to mind is clickjacking as we try to convince the unsuspecting user to perform some action,” he added.
Proof of concept
The vulnerability could be abused either to trick Apple system users and snaffle local files, though in most (but not all) scenarios, the filename of documents handed over will be displayed.
Messages for iOS display the filename quite prominently but for other apps, such as the Mail.app for macOS, users have to scroll down to see the name of the attachment appended to messages.
More straightforwardly, the flaw could be used to steal iOS Safari browsing history.
Wylecial has developed and released proof of concept code to carry out both the password stealing and iOS Safari browsing history exploits.
The researcher has also put together a video on YouTube demonstrating how to steal a user’s browsing history using the Web Share API.
The attack is said to work on the latest versions of iOS (13.4.1, 13.6) and macOS Catalina 10.15.5 with Safari 13.1.1, Wylecial reports.
Wylecial suspects other browsers that rely on the WebKit engine might also be vulnerable.
In response to questions from The Daily Swig, Wylecia said “I haven't tested other WebKit based browsers, only checked Chrome for Android but my guess is yes [they are vulnerable]”.