Security researcher at Redteam.pl has discovered a potentially serious flaw in Safari. A bug in the Web Share api used to add Share buttons to web pages can be used to share system files, reports 9 to 5 Mac.
The API is normally used to make it easy for visitors to share content from the website via email or messages, save to Dropbox or similar, or other via the system’s regular Share dialog.
What Redteam.pl has discovered is that the api can be used to share resources with file: // urls, ie files on the device’s internal storage. Not only that – Safari accesses system files that you as a user cannot access. For example, a page might enter the share button that sends Safari’s history database or stored passwords.
The bug cannot be used to automatically upload or share sensitive files to anyone, so hackers must try to trick visitors. But even if the risk is low that you will be deceived in that way, the bug is serious as it breaks out of Safari’s sandbox.
Redteam.pl reported the bug to Apple already in April, but the company recently replied that it does not plan to fix it until the spring of 2021. According to 9 to 5 Mac, however, it has already been blocked in the latest beta versions of iOS 14 and Big Sur.