A bug in Safari’s Web Share api causes the browser to access files that users would not normally have access to, such as Safari’s history database.
Security researchers at Redteam.pl have discovered a potentially serious flaw in Safari.
A bug in the Web Share api used to add Share buttons to web pages can be used to share system files.
The API is normally used to make it easy for visitors to share content from the website via email or messages, save to Dropbox or similar, or other via the system’s regular Share dialog.
What Redteam.pl has discovered is that the api can be used to share resources with file: // urls, ie files on the device’s internal storage. Not only that – Safari accesses system files that you as a user cannot access. For example, a page might enter the share button that sends Safari’s history database or stored passwords.
The bug can not be used to automatically upload or share sensitive files to anyone, so hackers must try to trick visitors. But even if the risk is low that you will be deceived in that way, the bug is serious as it breaks out of Safari’s sandbox.
Redteam.pl reported the bug to Apple back in April, but the company indicated that it did not plan to fix it until the spring of 2021. According to 9to5Mac, however, it has already been blocked in the latest beta versions of iOS 14 and Big Sur.
This article originally appeared on Macworld Sweden. Translation by Karen Haslam.