Researcher Pawel Wylecial on Monday revealed a Safari bug after being told by Apple that an incoming patch would have to wait until spring 2021.
Wylecial, who founded Polish research group REDTEAM.PL, first discovered and informed Apple of the issue in April, noting the flaw can leak user information and be leveraged to steal data on both iOS and Mac, according to a blog post Monday.
The bug is rooted in Apple's Web Share API, a new standard that enables sharing of links, files and other data from a browser via third-party applications, reports ZDNet. According to Wylecial, Apple's implementation supports the file:
scheme, meaning shared messages can in some cases include files from the local system.
Wylecial characterizes the issue as low risk because user interaction is required to facilitate the potential data leak. He does note, however, that users may be unaware that they are sharing local data, as the attached files can be made largely "invisible" during the process.
As pointed out by ZDNet, a more pressing problem is Apple's handling of the bug report.
Apple acknowledged that it was analyzing the issue about a week after it took receipt of Wyliecial's initial alert, but multiple follow-up requests for status updates were left unanswered.
Wylecial in early August informed the company that the bug would be disclosed publicly on Aug. 24. Apple asked to withhold an announcement, saying the problem would be addressed in a spring 2021 security update. Finding the proposed timeline unreasonable, Wylecial opted to detail the bug on his blog.
9 Comments
That seems unreasonable considering the fact that he notified them in the middle of a Pandemic when resources and developers were dispatched to work with Google to develop a Covid-19 exposure tracking platform and move their entire developers conference online.
Apple acknowledged the bug, and gave a timeline for the fix. He should’ve followed protocol and waited until after the fix to disclose.