REDTEAM.PL researcher Pawel Wylecial has decided to go public with his discovery of a bug that resides in Safari for both iOS and macOS. The bug can be found in the Web Share API, which Safari just implemented recently to allow for easier sharing of text, links, and files. This becomes a security issue when attackers set up fake web pages or send out emails that ask a potential victim to share files with people they know. In reality, the bug is being taken advantage of in order to extract files from the targeted device. Wylecial said he was fed up with waiting on Apple to produce some sort of patch for his finding or to even simply acknowledge it. Apple attempted to get Wylecial to wait to publish his findings until Spring of 2021, which would have been nearly a year since he originally reported it to them. Other researchers have complained of the same issue, claiming that Apple has either delayed their acknowledgement or simply tried to tell the researchers that what they discovered was not a bug.
Until a security update is available from Apple, the safest approach is to use other web browsers in place of Safari. While the bug may be difficult to exploit, users should still be cautious when visiting pages or receiving emails that ask them to share files, especially when the source is unknown. Although Apple’s handling of their bug bounty program has been subpar thus far, researchers should still continue to report their findings. If Apple doesn’t respond in a reasonable amount of time according to responsible disclosure guidelines, releasing the bug to the public is acceptable. If possible, it is helpful for security researchers to share details of vulnerabilities privately with trusted groups of security defenders before making it completely public, to give companies and security product makers some time to develop a mitigation or detection for attacks.