Security researcher Pawel Wylecial openly divulged the other day a Safari vulnerability that might persuade users to covertly send any file on their system to a recipient.
Wylecial himself states the bug “is not really severe,” in that it still requires an individual to manually do something in order to incorrectly send out a file from ones system to another person– including going into a recipient–” it is quite simple to make the shared file undetectable to the user. The closest comparison that enters your mind is clickjacking as we try to encourage the unsuspecting user to carry out some action.”
How it works is pretty easy. Safaris Web Share API supports the file:// URI plan. As a result, you can incorporate a link to a file on a users computer system within the exact same website button a user would otherwise use to share the content theyre looking at via a third-party app.
For example, clicking on this button:
Screenshot: David Murphy
G/O Media might get a commission
and sharing that image via, state, the macOS Mail app, would develop a rather innocent message–” have a look at this charming kitten!”– that would also include your Macs “passwd” file, as the button likewise consists of the variable “file:/// etc/passwd” in the websites source code:
Screenshot: David Murphy
How it works is quite basic. Safaris Web Share API supports the file:// URI scheme. As a result, you can integrate a link to a file on a users computer system within the exact same website button a user would otherwise use to share the content theyre looking at through a third-party app.
Wylecial disclosed this vulnerability to Apple in April of 2020. Apple finally replied in July that theyre investigating the concern, and clarified in August that theyll be covering this in a security update set up for Spring of 2021.
If you were taking note you d see the attachment in your e-mail message and probably question and/or rapidly delete, however if you werent, well, you would have just sent over a file you didnt indicate to send out to a recipient. And I can completely see a site abusing this feature by motivating users to share content to some sort of catch-all inbox for this details.
Once again, youre most likely not most likely to be fooled if youre decently tech-savvy, however those who are not might get suckered in, especially since its tough to tell what file youre in fact sharing when you utilize other apps to produce the message. As Wylecial writes, the Gmail app, for instance, mucks up the file name so much that you would not even know you were sharing your password file (to continue this example).
