iPhone flaw lets hackers steal your personal data — don't do this in Safari
Safari exploit can trick you into sharing personal data with malicious websites on iPhones and Macs
An unpatched flaw in the Apple Safari browser lets hackers steal your browsing history, bookmarks, downloads or any other file that Safari can access, a Polish security researcher claims. The problem seems to exist on both Macs and iPhones.
Pawel Wylecial, who has a company called REDTEAM PL, wrote in a blog post yesterday (Aug. 24) that a feature called Web Share does a bit of oversharing in Safari. He said he told Apple of the flaw in April of this year, but because the company has decided not to fix the issue until the spring of 2021, Wylecial decided to go public.
- Nasty email hack can steal your personal data
- Just in: Windows 10 update could kill your SSD — what to do
Wylecial described this flaw as "not very serious," but some good social engineering could easily trick Apple users to give up their personal data by luring them to malicious websites.
How easy? Wylecial created a proof-of-concept demonstration that you can try yourself at https://overflow.pl/webshare/poc2.html. If you click on the button labeled "share it with friends!" under the cute kitten in Safari, you'll be prompted with a list of possible apps for delivery -- Messages, Mail and so on.
Choose a recipient and send the link, but beware: The recipient will also get your browsing history. We can see how data thieves could trick users into sending links to strangers as well.
What not to do
To avoid falling victim to this sort of thing, don't use Web Share in Safari for the time being. If you want to share a link with friends, fall back on the tried 'n' true method of selecting the link in the browser address bar, copying it, opening up an email or messaging app and pasting it the body of the text.
We tried it ourselves
We tested Wylecial's proof of concept on Chrome for Android and it didn't work. But we had another person open the link in Safari on her iPhone, click the "Share it with friends!" button and send the link to our Gmail account. We received a SQLite database of her browsing history.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
We asked another person to test Wylecial's proof of concept on a Mac. However, the "Share it with friends!" button seemed to only work with Apple applications. As she didn't have Mail set up to handle her email (she uses Gmail and Outlook), we couldn't go any further, but we think we could have if Mail had been set up.
Web oversharing
Web Share lets browser users easily send browser links to friends via email or instant messages, but Wylecial says that Safari's implementation of Web Share doesn't check those links to see if there's anything else added.
Wylecial discovered that if he appended a local filepath to the URL, the Safari Web Share function would copy the file as well as the URL and send both to the recipient of the Web Share.
Web Share is an open-source feature made available for all browsers, but according to the latest documentation, its only desktop implementation so far is on Safari for Macs. On mobile devices, Web Share is supported on Chrome, Opera and Samsung Internet for Android and on Safari for iOS.
Tom's Guide has reached out to Apple seeking comment, and we will update this story should we receive a reply.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.