iPhone flaw allows hackers to steal your personal data — Don't do this in Safari

iPhone flaw allows hackers to steal your personal data — Don't do this in Safari

An unpatched flaw in Apple's Safari browser allows hackers to steal browsing history, bookmarks, downloads, and any other files Safari can access, Polish security researchers claim. The problem appears to exist on both Macs and iPhones.

Pawel Wylecial, who runs a company called REDTEAM PL, wrote in a blog post yesterday (August 24) that a feature called Web Share does a bit of oversharing in Safari. He informed Apple of the flaw in April of this year, but the company decided not to fix the problem until the spring of 2021, so Wylecial decided to go public.

Wylecial described the flaw as "not that serious," but through clever social engineering, it is easy to lure Apple users to malicious websites and have them provide personal data.

How easy: click on the button below the cute kitten in Safari that says "share it with friends!" and you'll be presented with a list of apps, including Messages and Mail, that can be delivered.

Select a recipient and send the link, but beware: the recipient will also get your browsing history. You can see how data thieves could trick users into sending links to strangers as well.

To avoid this type of damage, do not use Web Share in Safari for the time being. If you want to share a link with a friend, go back to the tried and true method of selecting the link in the browser address bar, copying it, opening an email or messaging app, and pasting it into the body of the message.

Wylecial's proof of concept was tested on Chrome for Android and did not work. However, we had another person open the link in Safari on her iPhone, click the "Share with Friends!" button and had her send the link to our Gmail account. We received a SQLite database of her browsing history.

We had another person test Wylecial's proof-of-concept on a Mac. However, the "Share it with friends!" button only seemed to work with Apple applications. Since she did not have Mail set up to handle email (she uses Gmail and Outlook), we could not go any further, but we could have if Mail had been set up.

Web Share allows browser users to easily send browser links to friends via email or instant messaging, but according to Wylecial, Safari's implementation of Web Share does not check to see if anything has been added to the link He says that it does not.

Wylecial found that if a local file path is added to the URL, Safari's Web Share feature copies the file as well as the URL and sends both to the Web Share recipient.

Web Share is an open source feature available in all browsers, but according to the latest documentation, the desktop implementation is currently only available in Safari for Mac. On mobile devices, Web Share is supported by Chrome, Opera, and Samsung Internet on Android, and Safari on iOS.

Tom'sGuide has reached out to Apple for comment and will update this article if we hear back.

Categories