Being one of the major web browsers, Safari browser gets its fair share of scrutiny from cybersecurity professionals. In the latest, researcher Pawel Wylecial from REDTEAM.PL has discovered a vulnerability in the browser that would allow an attacker to steal user files.
Reported to Apple on 17 April earlier this year, Apple continued to delay the issue despite the researcher repeatedly asking for status updates. Finally, on 14 August, Apple stated that they would fix the issue next year by Spring in response to which the flaw was disclosed on 24 August seeing that it is unreasonable to take so much time to fix a bug.
Safari Web Share API
Safari’s Web Share API is a cross-browser API to share URLs, files, text, and other content. The team found that the API is capable of sharing files stored on a user’s hard drive by changing the URL scheme (file://). A web site exploiting this bug could steal files if a user shared the article elsewhere.
Browsing history could also be leaked in this manner. The team says the bug is “not very serious” because it requires user interaction and social interaction to trick the person into leaking their files. They have more of an issue with Apple’s response, saying that the company’s request to delay the disclosure for almost a full year is “way past the standard 90-days vulnerability disclosure deadline that’s broadly accepted in the infosec industry.”
To conclude, this remains another example of how sometimes even the most well equipped of companies could have lax measures in place to address security grievances. If Apple is serious about protecting users, it should review its internal policies to make sure all bugs are patched within an acceptable timeframe.