An unpatched flaw in the Apple Safari browser lets hackers steal your browsing history, bookmarks, downloads or any other file that Safari can access, a Polish security researcher claims. The problem seems to exist on both Macs and iPhones.
Pawel Wylecial, who has a company called REDTEAM PL, wrote in a blog post yesterday (Aug. 24) that a feature called Web Share does a bit of oversharing in Safari. He said he told Apple of the flaw in April of this year, but because the company has decided not to fix the issue until the spring of 2021, Wylecial decided to go public.
Wylecial described this flaw as “not very serious,” but some good social engineering could easily trick Apple users to give up their personal data by luring them to malicious websites.
How easy? Wylecial created a proof-of-concept demonstration that you can try yourself at https://overflow.pl/webshare/poc2.html. If you click on the button labeled “share it with friends!” under the cute kitten in Safari, you’ll be prompted with a list of possible apps for delivery — Messages, Mail and so on.
Choose a recipient and send the link, but beware: The recipient will also get your browsing history. We can see how data thieves could trick users into sending links to strangers as well.
What not to do
To avoid falling victim to this sort of thing, don’t use Web Share in Safari for the time being. If you want to share a link with friends, fall back on the tried ‘n’ true method of selecting the link in the browser address bar, copying it, opening up an email or messaging app and pasting it the body of the text.
We tried it ourselves
We tested Wylecial’s proof of concept on Chrome for Android and it didn’t work. But we had another person open the link in Safari on her iPhone, click the “Share it with friends!” button and send the link to our Gmail account. We received a SQLite database of her browsing history.
We asked another person to test Wylecial’s proof of concept on a Mac. However, the “Share it with friends!” button seemed to only work with Apple applications. As she didn’t have Mail set up to handle her email (she uses Gmail and Outlook), we couldn’t go any further, but we think we could have if Mail had been set up.
Web Share lets browser users easily send browser links to friends via email or instant messages, but Wylecial says that Safari’s implementation of Web Share doesn’t check those links to see if there’s anything else added.
Wylecial discovered that if he appended a local filepath to the URL, the Safari Web Share function would copy the file as well as the URL and send both to the recipient of the Web Share.
Web Share is an open-source feature made available for all browsers, but according to the latest documentation, its only desktop implementation so far is on Safari for Macs. On mobile devices, Web Share is supported on Chrome, Opera and Samsung Internet for Android and on Safari for iOS.
Tom’s Guide has reached out to Apple seeking comment, and we will update this story should we receive a reply.