Posted on August 26, 2020 at 2:19 PM
Vulnerability in Safari Browser Allows Hackers to Steal User Files
A recent report revealed that MacOS owners and those using the Safari browser to surf the web may be vulnerable to a malicious attack. According to the report, the vulnerability enables hackers to steal files from victims’ computers.
The recently discovered vulnerability in the Safari browser may dimple Apple’s high reputation for prompt vulnerability fixes. The bug opens the door for hackers to hijack the features of the benign browser, stealing private data and files in the process. Right now, the vulnerability is still open for attack, and cybersecurity experts have offered some word of advice for users to prevent being a victim.
Based on a bulletin released by Pawel Wylecial, a Polish security researcher, the new vulnerability was discovered in Apple’s Safari API, which can make hackers take advantage of an otherwise harmless feature to steal sensitive data.
The particular bug allows the user to share videos, images, links, and other content with their contacts over the web.
Generally, it’s harmless to use the feature when sharing items via the phone. However, a malicious actor could change a shared link theoretically to steal the shared files. In essence, it means that once the user shares a file, the actual file sent will not be the right one they intended. It is not that the user mistakenly sent the wrong file, but the actors are manipulating the bug.
Actors can easily extract files
To explain the problem clearly, REDTEAM.PL updated a link for password extraction while the original request was a cart photo.
In this case, if a user mistakenly clicked on this type of link, the scenarios will be a dangerous one as the actors can easily extract the private system files and browser history of the user.
The worst part of the whole situation is the fact that the MacOS system dialogues do not always indicate the type of file being shared. As a result, the user may not even realize their data and information have been robbed.
And to make matters worse, system dialogues in MacOS don’t always fully show the file being shared. This means a user could have their device robbed without realizing it.
Pawel said he contacted Apple with evidence about the vulnerability. However, the firm did not act swiftly or take the issue too seriously. Apple put the bug in the “low priority” section because it requires user interaction for hackers to successfully use it.
Apple later admitted it is working to get a patch for the bug, but it’s likely not going to be available until next year’s spring.
Apple then asked the security researchers to hold on before publicly disclosing their findings, because the company wants to address the issue first.
However, Pawel said Apple did not give any specific timeline, which is why he decided to share his discoveries with the online community.
How users can protect themselves
Presently, the right course of action is for the users to use the share link on their own using the Safari Icon that resembles a box with an arrow. The user is safe if they don’t click on the malicious link prompting them to share the menu before opening. So, if the user shares the files from their phone menu on their phone, it will not be harmful to them.
Security researchers have also warned users to stop responding to menu prompts they see online. If a site requests or instructs the user to share a file, they should assume that it’s a bogus request meant to trick them.
Those who follow the request could lose more than they expect from their smartphone, because their passwords, photos, and entire browsing history could be at stake.