Security firm REDTEAM.PL found a bug within Safari’s Web Share API that let them steal local files from the target device and steal Safari browsing history. The team privately disclosed the bug to Apple, which acknowledged the issue but wanted the public disclosure to wait until after a fix was issued in a Spring 2021 security update (nearly a year after private disclosure).
Safari Web Share API
Safari’s Web Share API is a cross-browser API to share URLs, files, text, and other content. The team found that the API is capable of sharing files stored on a user’s hard drive by changing the URL scheme (file://). A web site exploiting this bug could steal files if a user shared the article elsewhere.
Browsing history could also be leaked in this manner. The team says the bug is “not very serious” because it requires user interaction and social interaction to trick the person into leaking their files. They have more of an issue with Apple’s response, saying that the company’s request to delay the disclosure for almost a full year is “way past the standard 90-days vulnerability disclosure deadline that’s broadly accepted in the infosec industry.”
Indeed, Apple’s Security Research Device program introduced in July limits security researchers and place control of disclosure into Apple’s hands.