How This Safari Error Can Open Files on Your Mac or IPhone
Security researcher Pavel Uilsial yesterday publicly exposed a Safari vulnerability that could convince users to secretly send any file on their system to a recipient.
Although the Uaylsial says that the error “not very serious” because it still requires a person to hand something to do, to send a file by mistake from your system to another person, including an indication of the recipient, “make it pretty easy. a shared file invisible to the user. The closest comparison that comes to mind is clickjacking, where we try to convince an unsuspecting user to take an action. “
The principle of operation is quite simple. The Safari web resource API supports the file: // URI scheme. As a result, you can include a link to a file on the user’s computer in the same site button that the user would otherwise use to share the content they are viewing through a third-party application.
So, for example, by clicking on this button :
and sending that image, say through the macOS Mail app, will create a rather innocent message: “Look at this cute kitten!” – this will also include your Mac’s “passwd” file as the button also includes the “file: /// etc / passwd” variable in the site’s source code:
If you had paid attention, you would have noticed the attachment in your email message and probably asked a question and / or quickly deleted it, but if you hadn’t, well, you would have just sent a file that you didn’t intend to send to the recipient. And I can very well see a website abusing this feature, encouraging users to share content in some kind of universal inbox for that information.
Again, you’re probably not likely to be fooled if you’re decently tech-savvy, but those who don’t can get sucked in, especially since it’s hard to tell which file you’re actually sharing when you’re using other apps to creation. message. According to Wylecial, the Gmail app, for example, mangles the filename so that you don’t even know you are passing your password file (to continue with this example).
Wylecial reported this vulnerability to Apple in April 2020. In July, Apple finally replied that it was investigating the issue, and in August clarified that it would fix it in a security update scheduled for spring 2021.