Safari Bug Can Expose Important Files
There’s a Safari bug out there, and although it isn’t as serious as others, it can still pose some sort of inconvenient threat and expose your important files. This particular vulnerability has the ability to convince users to secretly send a file on their system to any recipient, but the user has to manually do something in order for this to happen. While this makes it more difficult for users to fall into this threat, this “clickjacking” action can convince the unsuspecting user to perform some action.
To break it down simply, Safari’s Web Share API supports the file:// URIscheme. Due to this, the user can incorporate a link to a file on a user’s computer within the same site button that a user would otherwise use to share the content they’re looking at, via a third-party app. For example, a simple link under a picture that says “Check this out!” can also include your Mac’s “passwd” file, since the link also includes the variable “file:///etc/passwd” in the site’s source code.
If you weren’t paying full attention, then something like this could easily slip through. When using other apps to create a message, it can sometimes be difficult to tell what file you are actually sharing. For example, the Gmail app makes the file name so unrecognizable that most users wouldn’t even know if they were sharing their password file.
Due to this ongoing issue, Apple has stated that they will be setting up a security patch on this for the Spring of 2021.
Categorised in: IT Threat