Home / iOS / Security researcher discloses Safari bug after Apple delays patch

Security researcher discloses Safari bug after Apple delays patch



A security researcher has published details today about a Safari browser bug that could be abused to leak or steal files from users’ devices.

The bug was discovered by Pawel Wylecial, co-founder of Polish security firm REDTEAM.PL.

Wylecial initially reported the bug to Apple earlier this spring, in April, but the researcher decided to go public with his findings today after the OS maker delayed patching the bug for almost a year, to the spring of 2021.

How does the bug work

In a blog post today, Wylecial said the bug resides in Safari’s implementation of the Web Share API — a new web standard that introduced a cross-browser API for sharing text, links, files, and other content.

The security researcher says that Safari (on both iOS and macOS) supports sharing files that are stored on the user’s local hard drive (via the file:// URI scheme).

This is a big privacy issue as this could lead to situations where malicious web pages might invite users to share an article via email with their friends, but end up secretly siphoning or leaking a file from their device.

See the video below for a demonstration of the bug, or play with these two demo pages that can exfiltrate a Safari user’s /etc/passwd or browser history database files.