Here's a neat exploit to trick someone into inadvertently emailing their files to you from their Mac, iPhone via Safari

Speaking purely hypothetically, of course

8 Reg comments Got Tips?

Pawel Wylecial, a security consultant with Redteam.pl, has published a proof-of-concept exploit for stealing files from iOS and macOS devices via web application code that utilizes the Web Share API.

The security flaw, which isn't too scary as it requires some user interaction, has not yet been repaired, though a patch is being worked on. It's interesting enough to share here so that developers can avoid similar vulnerabilities in their software.

The exploit involves getting someone to open in Safari a web page with a button that triggers the WebShareAPI in a way that launches native Mail or Gmail apps. In doing so, the message can attach a file from the local system, such as the browser history and other sensitive files, while hiding the attachment from view.

It probably works with other iOS browsers too because Apple forces all iOS browsers to use its WKWebView class, which implements the WebShare API, for rendering web content.

Wylecial claims to have revealed the flaw in April to Apple, which after several unresponsive months recently asked for disclosure to be delayed until Spring 2021, when the company thought it might get around to issuing a security update.

Finding it unreasonable to be asked to wait for a year, Wylecial went ahead and published details about the flaw.

The Web Share API, he explains, lets browser users share links in the browser with third-party native applications like mail and messaging apps. The API allows a file: path to be supplied as if it were a URL to be shared. Native apps can then receive that file path via the navigator.share function and will supply it to the shared message.

In a GitHub issue to the Web Share API repo, Matt Giuca, a Google Chrome developer, says, "The vulnerability is due to apparent misbehavior of the native app, which is not subject to same-origin policy and is therefore able to fetch any URL it wants, including local files. Native apps should not trust incoming intents (which could be coming from any app), but from the browser side, we have no control over the behavior of native apps."

Giuca adds that the issue goes beyond file URLs. It has implications for any sensitive URL on the user's private network, like router configuration files, he suggests, adding that it also affects public URLs that might reveal private information if accessed with local cookie files.

Wylecial's video demo shows that malicious code can attach a sensitive local file, like a user's /etc/passwd file or Safari browsing history, to an outgoing message.

The bug isn't too serious, Wylecial says, because user interaction is required, though he allows that it's easy enough to make the shared file invisible to the user. That would make successful data exfiltration more likely.

About a day ago, Apple's WebKit team developed a fix for the issue. It hasn't yet been released.

The Register asked Apple for comment. True to expectation, we've not heard back. ®

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020