Safari vulnerability disclosed after Apple pushes fix to Spring 2021
The Web Share API flaw can be exploited to attach system files, including web browsing history


A vulnerability in Apple’s Web Share API, used to share Safari links through third-party apps, has been publicly disclosed after Apple said it wouldn’t release a fix until Spring 2021.
The Web Share API allows users to share links to elements, such as photos, from the Safari browser through third-party applications, including any email client. A flaw found in this integration, however, could allow a hacker to configure a malicious site to attach system files to an email, in addition to the link being shared.
The bug has been disclosed by researcher Pawel Wylecial four months after he first brought it to Apple’s attention, and after the company confirmed that it would be releasing a fix but that this wouldn't be available until at least Spring 2021.
The vulnerability was tested on iOS 13.4.1 and 13.6, macOS Mojave 10.14.16 with Safari 13.1 and on macOS Catalina 10.15.5 with Safari 13.1.1, although other versions of Apple iPhone and Mac operating systems, and Safari, may be affected.
Wylecial first discovered the vulnerability on 17 April and reported this Apple four days later. Although Apple suggested it would investigate the issue, a back-and-forth exchange ensued over the next few months with few or no updates.
The researcher asked for another status update on 21 July and asked if the firm needed more time to investigate, adding he would disclose the flaw after 24 July if there were no further replies or objections. The company responded suggesting it was still investigating and would follow up as soon as it had an update.
Wylecial then set the disclosure date of 24 August at the start of the month, and asked Apple for another status update. The company asked him not to publish the details, as it was planning on addressing the issue in the Spring 2021 security update.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
RELATED RESOURCE
Introducing VMDR: Vulnerability Management, Detection and Response
The all-in-one vulnerability management service
The researcher finally published the flaw on cue as he felt waiting for almost an additional year, after four months had already elapsed since the vulnerability was first reported, was unreasonable.
Wylecial set up a proof-of-concept site for his testing, where he exploited the flaw in the API integration to attach a user’s ‘etc/passwd file’ to an email when sharing a photo through email. This file is a text file that contains the attributes of each user on a machine running Linux or another Unix-like operating system.
He also demonstrated the exploit by showing that a user’s browsing history can be exfiltrated and subsequently read through the Safari web browser.
While the flaw is described as “not serious”, given it requires user interaction in order to successfully exploit, Apple’s apparent sluggishness in fixing it could be of some concern for security researchers.
Apple's new iPhone bug bounty programme has come under similar scrutiny, with some expressing concern over the company's strict disclosure policies that effectively muzzle researchers until Apple sets a date. This deviates notably from the standard 90-day disclosure practice adopted by many companies in the industry.

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.
-
Cisco takes aim at AI security at RSAC with ServiceNow partnership
News The companies claim Cisco AI Defense and ServiceNow SecOps will help address new challenges raised by AI
By Jane McCallion
-
Why veterans can excel in data centers – and could help the IT sector address its skill shortages
In-depth Ex-military workers can bring software and hardware to civilian roles
By John Loeppky
-
Hackers are targeting Ivanti VPN users again – here’s what you need to know
News Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
By Emma Woollacott
-
Broadcom issues urgent alert over three VMware zero-days
News The firm says it has information to suggest all three are being exploited in the wild
By Solomon Klappholz
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claim
News Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
By Solomon Klappholz
-
Everything you need to know about the Microsoft Power Pages vulnerability
News A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
By Solomon Klappholz
-
Vulnerability management complexity is leaving enterprises at serious risk
News Fragmented data and siloed processes mean remediation is taking too long
By Emma Woollacott
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to know
News Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
By Solomon Klappholz
-
Researchers claim an AMD security flaw could let hackers access encrypted data
News Using only a $10 test rig, researchers were able to pull off the badRAM attack
By Solomon Klappholz
-
A journey to cyber resilience
whitepaper DORA: Ushering in a new era of cyber security
By ITPro