Pawel Wylecial, a co-founder of Polish security firm REDTEAM.PL, first discovered the bug on April 17 and reported to Apple, which was acknowledged by them on April 21. However, the tech giant continued to delay the issue despite repeated follow-ups by the researcher for status updates. On August 14, Apple finally replied to Wylecial asking him to withhold the details as they plan to address the issue in the Spring 2021 security update. Therefore, on August 24, the researcher decided to go public with his findings as he found the timeline proposed by Apple to patch the bug unreasonable. HOW DOES THE BUG WORK? The bug is rooted in Apple’s Web Share API – a new web standard that introduced a cross-browser API for sharing text, links, files, and other content, reports ZDNet. In a blog post on Monday, Wylecial said that the problem is that file: scheme is allowed, and when a website points to such URL unexpected behavior occurs. In case such a link is passed to the navigator.share function an actual file from the user file system is included in the shared message which leads to local file disclosure when a user is sharing it unknowingly. Wylecial has described the bug as “not very serious”, as user interaction is required to enable the potential data leak. However, he said it is very easy to make the shared file invisible to the users, comparing the ability of the flaw gives an attacker to clickjacking in the way it aims “to convince the unsuspecting user to perform some action.”
As pointed out by ZDNet, it was the way in which Apple dealt with Wylecial’s bug report. Generally, security researchers give companies a full 90 days before disclosing their findings to the public. However, when Apple revealed that they won’t patch the vulnerability until Spring 2021, Wylecial decided to go ahead and disclose it publicly. The bug presently affects iOS (13.4.1, 13.6), macOS Mojave 10.14.16 with Safari 13.1 (14609.1.20.111.8), and macOS Catalina 10.15.5 with Safari 13.1.1 (15609.2.9.1.2).
