A security researcher has found a bug in Apple’s Safari browser. This Safari bug could allow hackers to leak or steal files from the user’s devices. The details about the Safari bug was published yesterday in a blog post.
Security Researcher founded a Bug in Safari Browser
A security researcher Pawel Wylecial, also a co-founder of Polish security firm REDTEAM.PL has discovered the bug. Earlier, in April, Pawel Wylecial reported about the bug, but there was no solution. So the researcher uploaded the post with his findings. However, the OS maker delayed for fixing the bug.
In a blog post, the researcher wrote that the bug stays in Safari’s Web Share API. It allows the users to share links, files, and other content from the browser via third-party apps. Safari is supported on both iOS and macOS, which supports sharing files which are stored on the local hard drive.
This is a big problem with privacy as this can allow the malicious web pages to invite the users to share an article via email. But in the end, they secretly leak a file from their device.
However, Wylecial researcher said that the bug is not very serious. As the user interaction and complex social engineering is needed to trick the users to leak the local files. But he also said that the attackers could easily make the user share file.
Now, the main problem is not only the bug, but the issue is how Apple handled the bug report. Apple has already failed to have a patch ready, and the company also tried to delay the researcher from publishing his finding.
The Situations which Wylecial has faced are becoming common among iOS and macOS bug hunters.
As, when the researcher revealed about the bug, all other researchers also reported the same issue where Apple delayed about fixing the bugs which they reported a year ago.
In July, Apple has announced the rules of the Security Research Device program, to which Google’s Vaunted Project Zero security team did not participate. The team said the program rules were written to limit public confession and muzzle security researchers about the findings.
In April, another researcher reported about the same thing with Apple’s bug bounty program, to which he said “a joke”.
For two of my bugs they've told me same thing that it will be fixed on "Fall of 2020" and yesterday I ask for the update. They replied it's not a bug 😅
— Nikhil Mittal (@c0d3G33k) August 24, 2020
Apple announced the program in August, didn't open it until a few days before Christmas, and now still have not paid a single Mac security researcher to my knowledge.
It's a joke. I think the goal is just to keep researchers quiet about bugs for as long as possible.
— Jeff Johnson (@lapcatsoftware) April 21, 2020