Safari vulnerability disclosed after Apple pushes fix to Spring 2021

A vulnerability in Apple’s Web Share API, used to share Safari links through third-party apps, has been publicly disclosed after Apple said it wouldn’t release a fix until Spring 2021.

The Web Share API allows users to share links to elements, such as photos, from the Safari browser through third-party applications, including any email client. A flaw found in this integration, however, could allow a hacker to configure a malicious site to attach system files to an email, in addition to the link being shared.

The bug has been disclosed by researcher Pawel Wylecial four months after he first brought it to Apple’s attention, and after the company confirmed that it would be releasing a fix but that this wouldn't be available until at least Spring 2021.

The vulnerability was tested on iOS 13.4.1 and 13.6, macOS Mojave 10.14.16 with Safari 13.1 and on macOS Catalina 10.15.5 with Safari 13.1.1, although other versions of Apple iPhone and Mac operating systems, and Safari, may be affected.

Wylecial first discovered the vulnerability on 17 April and reported this Apple four days later. Although Apple suggested it would investigate the issue, a back-and-forth exchange ensued over the next few months with few or no updates.

The researcher asked for another status update on 21 July and asked if the firm needed more time to investigate, adding he would disclose the flaw after 24 July if there were no further replies or objections. The company responded suggesting it was still investigating and would follow up as soon as it had an update.

Wylecial then set the disclosure date of 24 August at the start of the month, and asked Apple for another status update. The company asked him not to publish the details, as it was planning on addressing the issue in the Spring 2021 security update.

The researcher finally published the flaw on cue as he felt waiting for almost an additional year, after four months had already elapsed since the vulnerability was first reported, was unreasonable.

Wylecial set up a proof-of-concept site for his testing, where he exploited the flaw in the API integration to attach a user’s ‘etc/passwd file’ to an email when sharing a photo through email. This file is a text file that contains the attributes of each user on a machine running Linux or another Unix-like operating system.

He also demonstrated the exploit by showing that a user’s browsing history can be exfiltrated and subsequently read through the Safari web browser.

While the flaw is described as “not serious”, given it requires user interaction in order to successfully exploit, Apple’s apparent sluggishness in fixing it could be of some concern for security researchers.

Apple's new iPhone bug bounty programme has come under similar scrutiny, with some expressing concern over the company's strict disclosure policies that effectively muzzle researchers until Apple sets a date. This deviates notably from the standard 90-day disclosure practice adopted by many companies in the industry.