On Monday, Pawel Wylecial, a security researcher, disclosed a bug in the Safari browser after Apple him to wait for the release of a patch until the spring of next year. This bug could be abused to steal data from the device of the victim. Founder of the Polish security research group REDTEAM.PL, Wylecial, first discovered this flaw back in April of this year and notified Apple. Although the researcher reported this bug to Apple almost 4 months ago, today, Wylecial decided to publish the details of this bug after Apple postponed patching the bug to the spring of 2021.
On Monday, the researcher published a blog post stating that this bug can leak user information and it can be leveraged to steal data on iOS as well as Mac. According to a report published by ZDNet, this bug is rooted in Apple’s Web Share Application Programming Interface (API), a new standard that allows users to share links, files, and other data from the browser via third-party apps. According to the security researcher, Apple’s Safari browser supports sharing files that are stored on the local hard drive. The security researcher characterizes this flaw as low risk since it requires user intervention to facilitate a potential data leak. However, users may not be aware that they are sharing local files since the attached files can be mostly ‘hidden’ during the process.
However, as pointed out by ZDNet, the real issue is not just the bug itself or how complex it is to exploit the bug, but how Apple handles bug reports. The company confirmed that Apple was analyzing the bug after a week after Wylecial first reported the bug, however, the company did not respond to multiple follow-up requests for status updates.
In early August, the security researcher notified the company that he would publish the details about this bug on August 24. The company called for an announcement pending that the patch for the bug will be released in a security update in spring 2021. Despite announcing a dedicated bug bounty program, Apple is being accused of delaying bugs on purpose and trying to silence bug hunters. For instance, when Wylecial published the details of this bug earlier today, many other security researchers reported similar situations where Apple postponed patching bugs they reported for over a year.
Read next: How Big Tech Companies Are Earning Billions To Beat The Economy of Whole Countries
On Monday, the researcher published a blog post stating that this bug can leak user information and it can be leveraged to steal data on iOS as well as Mac. According to a report published by ZDNet, this bug is rooted in Apple’s Web Share Application Programming Interface (API), a new standard that allows users to share links, files, and other data from the browser via third-party apps. According to the security researcher, Apple’s Safari browser supports sharing files that are stored on the local hard drive. The security researcher characterizes this flaw as low risk since it requires user intervention to facilitate a potential data leak. However, users may not be aware that they are sharing local files since the attached files can be mostly ‘hidden’ during the process.
However, as pointed out by ZDNet, the real issue is not just the bug itself or how complex it is to exploit the bug, but how Apple handles bug reports. The company confirmed that Apple was analyzing the bug after a week after Wylecial first reported the bug, however, the company did not respond to multiple follow-up requests for status updates.
In early August, the security researcher notified the company that he would publish the details about this bug on August 24. The company called for an announcement pending that the patch for the bug will be released in a security update in spring 2021. Despite announcing a dedicated bug bounty program, Apple is being accused of delaying bugs on purpose and trying to silence bug hunters. For instance, when Wylecial published the details of this bug earlier today, many other security researchers reported similar situations where Apple postponed patching bugs they reported for over a year.
Read next: How Big Tech Companies Are Earning Billions To Beat The Economy of Whole Countries