Security researcher Pawel Wylecial publicly disclosed yesterday a Safari vulnerability that could convince users to secretly send any file on their system to a recipient.
Though Wylecial himself says the bug “is not very serious,” in that it still requires a person to manually do something in order to mistakenly send a file from one’s system to another person—including entering a recipient—“it is quite easy to make the shared file invisible to the user. The closest comparison that comes to mind is clickjacking as we try to convince the unsuspecting user to perform some action.”
How it works is pretty simple. Safari’s Web Share API supports the file:// URI scheme. As a result, you can incorporate a link to a file on a user’s computer within the same site button a user would otherwise use to share the content they’re looking at via a third-party app.
So, for example, clicking on this button:
and sharing that image via, say, the macOS Mail app, would create a rather innocent message—“check out this cute kitten!”—that would also include your Mac’s “passwd” file, as the button also includes the variable “file:///etc/passwd” in the site’s source code:
If you were paying attention you’d notice the attachment in your email message and probably question and/or quickly delete, but if you weren’t, well, you would have just sent over a file you didn’t mean to send to a recipient. And I can totally see a website abusing this feature by encouraging users to share content to some kind of catch-all inbox for this information.
Again, you’re probably not likely to be duped if you’re decently tech-savvy, but those who are not could get suckered in, especially since it’s hard to tell what file you’re actually sharing when you use other apps to create the message. As Wylecial writes, the Gmail app, for example, mucks up the file name so much that you wouldn’t even know you were sharing your password file (to continue this example).
Wylecial disclosed this vulnerability to Apple in April of 2020. Apple finally replied in July that they’re investigating the issue, and clarified in August that they’ll be patching this in a security update scheduled for Spring of 2021.
Zoom is getting a lot more use now that people need to hold meetings remotely and carry other events virtually that used to involve face-to-face inter
Watching my favorite program until my eyes fall out has its benefits, especially during the pandemic. When emotions are high, television has been a he
I hate saying that “this is kind of the norm” when talking about a data breach, but here we go again. A social-media management company called Sociala
You can finally drag-and-drop email attachments from Outlook into Microsoft Teams. Sure, it took nearly five years for the feature to show up, but it’
Whether you’re looking to make a larger investment or you just want to dabble in cryptocurrencies, you can purchase Bitcoin, Ethereum, Bitcoin Cash, a
You probably have thousands of photos stored on your iPhone that document life’s biggest (and smallest) moments, from memorable beach vacations to las
Safari has hardly changed over the past few years, as the basic design language has stayed the same since the days of iOS 7. But in iOS 15 and iPadOS
If you’re like me, your Apple Watch is essentially glued to your wrist. A walk almost feels like wasted steps if my Apple Watch isn’t there to track e
We are a comprehensive and trusted information platform dedicated to delivering high-quality content across a wide range of topics, including society, technology, business, health, culture, and entertainment.
From breaking news to in-depth reports, we adhere to the principles of accuracy and diverse perspectives, helping readers find clarity and reliability in today’s fast-paced information landscape.
Our goal is to be a dependable source of knowledge for every reader—making information not only accessible but truly trustworthy. Looking ahead, we will continue to enhance our content and services, connecting the world and delivering value.
