Stealing Local Files Using Safari Web Share API

Pawel Wylecial:

In general Web Share API allows users to share links from the browser via 3rd party applications (e.g. mail and messaging apps). The problem is that file: scheme is allowed and when a website points to such URL unexpected behavior occurs. In case such a link is passed to the navigator.share function an actual file from the user file system is included in the shared message which leads to local file disclosure when a user is sharing it unknowingly. The problem is not very serious as user interaction is required, however it is quite easy to make the shared file invisible to the user. The closest comparison that comes to mind is clickjacking as we try to convince the unsuspecting user to perform some action.

[…]

The issue exists on both MacOS and iOS, after selecting different methods of sharing we will get different results, some of them are shown below.

[…]

Below you can see a video demonstrating stealing user’s browsing history using web share API[…]

Catalin Cimpanu (via Hacker News):

Wylecial initially reported the bug to Apple earlier this spring, in April, but the researcher decided to go public with his findings today after the OS maker delayed patching the bug for almost a year, to the spring of 2021.

Previously:

• Apple Security Research Device Program
• Safari Privacy Protections Bypass
• Mac Sandbox Escape via TextEdit
• The Hotel Cupertino Clause

Bug Exploit iOS iOS 13 Mac macOS 10.15 Catalina Privacy Safari Security

1 Comment RSS · Twitter

---

Leave a Comment

Name

E-mail (will not be published)

Web site

Δ