Researcher reveals Safari data leak bug after Apple delays patch to 2021

Posted:
in General Discussion edited August 2020
Researcher Pawel Wylecial on Monday revealed a Safari bug after being told by Apple that an incoming patch would have to wait until spring 2021.

Safari


Wylecial, who founded Polish research group REDTEAM.PL, first discovered and informed Apple of the issue in April, noting the flaw can leak user information and be leveraged to steal data on both iOS and Mac, according to a blog post Monday.

The bug is rooted in Apple's Web Share API, a new standard that enables sharing of links, files and other data from a browser via third-party applications, reports ZDNet. According to Wylecial, Apple's implementation supports the file: scheme, meaning shared messages can in some cases include files from the local system.

Wylecial characterizes the issue as low risk because user interaction is required to facilitate the potential data leak. He does note, however, that users may be unaware that they are sharing local data, as the attached files can be made largely "invisible" during the process.





As pointed out by ZDNet, a more pressing problem is Apple's handling of the bug report.

Apple acknowledged that it was analyzing the issue about a week after it took receipt of Wyliecial's initial alert, but multiple follow-up requests for status updates were left unanswered.

Wylecial in early August informed the company that the bug would be disclosed publicly on Aug. 24. Apple asked to withhold an announcement, saying the problem would be addressed in a spring 2021 security update. Finding the proposed timeline unreasonable, Wylecial opted to detail the bug on his blog.

Comments

  • Reply 1 of 9
    genovellegenovelle Posts: 1,481member
    That seems unreasonable considering the fact that he notified them in the middle of a Pandemic when resources and developers were dispatched to work with Google to develop a Covid-19 exposure tracking platform and move their entire developers conference online. 
    killroy
  • Reply 2 of 9
    Rayz2016Rayz2016 Posts: 6,957member
    Apple acknowledged the bug, and gave a timeline for the fix. He should’ve followed protocol and waited until after the fix to disclose. 

    Seems he couldn’t wait for this two minutes of fame so decided to put Safari users at (minimal) risk. 


    doozydozenkillroyjony0
  • Reply 3 of 9
    genovelle said:
    That seems unreasonable considering the fact that he notified them in the middle of a Pandemic when resources and developers were dispatched to work with Google to develop a Covid-19 exposure tracking platform and move their entire developers conference online. 
    You know something call work from home? 

    Apple has tens of thousands of engineers, find a couple of them to deal with the problem will not be that hard. Also, Apple is selling for security of their products these days. Shouldn’t they put a little more resources to handle it? April to next January is 9 months, no matter how you look at it, it is a very long time for a security patch.  
    mac_dogPetrolDave80s_Apple_GuyPascalxxdysamoriacat52FileMakerFellerbulk001jony0
  • Reply 4 of 9
    Rayz2016Rayz2016 Posts: 6,957member
    viclauyyc said:
    genovelle said:
    That seems unreasonable considering the fact that he notified them in the middle of a Pandemic when resources and developers were dispatched to work with Google to develop a Covid-19 exposure tracking platform and move their entire developers conference online. 
    You know something call work from home? 

    Apple has tens of thousands of engineers, find a couple of them to deal with the problem will not be that hard. Also, Apple is selling for security of their products these days. Shouldn’t they put a little more resources to handle it? April to next January is 9 months, no matter how you look at it, it is a very long time for a security patch.  
    The problem here is that you have no idea how many engineers Apple has, how many of them work on the Web Share API, how many other apps rely on the Web API, the level of testing involved in the fix, the other higher-priority bugs in front of this minor problem in the queue, how many other projects would be affected by dropping everything to fix this, or anything at all about some software development. 
    doozydozenkillroymike1mknelsonFileMakerFellerjony0
  • Reply 5 of 9
    dewmedewme Posts: 5,680member
    Rayz2016 said:
    viclauyyc said:
    genovelle said:
    That seems unreasonable considering the fact that he notified them in the middle of a Pandemic when resources and developers were dispatched to work with Google to develop a Covid-19 exposure tracking platform and move their entire developers conference online. 
    You know something call work from home? 

    Apple has tens of thousands of engineers, find a couple of them to deal with the problem will not be that hard. Also, Apple is selling for security of their products these days. Shouldn’t they put a little more resources to handle it? April to next January is 9 months, no matter how you look at it, it is a very long time for a security patch.  
    The problem here is that you have no idea how many engineers Apple has, how many of them work on the Web Share API, how many other apps rely on the Web API, the level of testing involved in the fix, the other higher-priority bugs in front of this minor problem in the queue, how many other projects would be affected by dropping everything to fix this, or anything at all about some software development. 
    Have to agree with Rayz2016 on this one. All software development organizations have a triage process for prioritizing which bugs get fixed first because no organization anywhere, including Apple, has unlimited resources, unlimited bandwidth, or unlimited availability of the technical experts who can most effectively fix any bug. Sorry, but it's not like any software dev is equally able to fix a bug in any piece of code. There is almost always some degree of specialization in parts of a big code base. You could throw any dev on it, hope for the best, hope they learn the code base quickly, and hope the potential side effects are less destructive than the fix. Good luck with that. 

    In good software development organizations there is a process for triaging all bugs. It's usually driven by an algorithm of sorts, like a failure mode effects analysis (FMEA) applied to software. People who understand the code, people who understand the functional impact of the bug, and people who understand the customer impact all weigh in on prioritizing the work needed to fix a bug so it can be prioritized against ALL other work that is on the team's plate. By design all security and privacy related bugs get bumped up in priority by default, but there's always going to be more tasks queued up within a certain time window than there are qualified people to work on the tasks. That's just a fact of life and making everything the "top priority" doesn't solve anything when you have to deal with time, people, and for some organizations, financial constraints.

    Bottom line is that Apple didn't pull the Spring 2021 estimate out of their ass. It came from an analytical process. I understand that the bug discoverer wants to get recognition and at some level feels that Apple doesn't have the same sense of urgency that he has about this bug. I get it. But he doesn't have the same visibility that Apple has over the entire process and Apple has to make difficult and unpopular choices every day of the week. He has no knowledge of what else is on Apple's plate. That's the definition of triage. The net result here is that the bug discoverer is putting his own concerns, which are not entirely self serving, above the bigger picture - which is solving the problem. He may be unhappy, and Apple is probably pissed off, but the real losers here are Apple's customers because the grandstanding elevates the probability that someone will exploit this issue before Apple can fix it. Our lives are now worse off because of the disclosure, whether or not it was done in spite or with good intentions. Because the bug discoverer knew exactly where Apple was in their response, I'd lean more towards the spiteful motivation.  
    edited August 2020 Pascalxxheadfull0wineFileMakerFeller
  • Reply 6 of 9
    dysamoriadysamoria Posts: 3,430member
    Sorry, I’m not seeing compelling reasons to defend Apple over a lack of bug fixing. Not these days. Work-from-home practices shouldn’t be an excuse, perpetually, and Apple has the tech to make that work (unless they’re afraid to rely on their own tech for secure telecommuting... and, hmm, they don’t rely on their own hardware and OS for data centers, so...).

    Apple are the “most valuable” company on the planet, with extensive resources and deep pockets. It’s also a “popular” employer. The perpetuation of software flaws in every Apple product has long gotten out of bounds of acceptability. Since 2013, it’s been getting worse and worse. They’ve had years to put better practices into place, and they only recently addressed a development practice where new code got checked in too rapidly??

    Sorry, not on Apple’s side here; maybe next issue.
    cat52bulk001
  • Reply 7 of 9
    dysamoria said:
    Sorry, I’m not seeing compelling reasons to defend Apple over a lack of bug fixing. Not these days. Work-from-home practices shouldn’t be an excuse, perpetually, and Apple has the tech to make that work (unless they’re afraid to rely on their own tech for secure telecommuting... and, hmm, they don’t rely on their own hardware and OS for data centers, so...).

    Apple are the “most valuable” company on the planet, with extensive resources and deep pockets. It’s also a “popular” employer. The perpetuation of software flaws in every Apple product has long gotten out of bounds of acceptability. Since 2013, it’s been getting worse and worse. They’ve had years to put better practices into place, and they only recently addressed a development practice where new code got checked in too rapidly??

    Sorry, not on Apple’s side here; maybe next issue.
    Interested in seeing the sources for this assertion.
    jony0
  • Reply 8 of 9
    genovelle said:
    That seems unreasonable considering the fact that he notified them in the middle of a Pandemic when resources and developers were dispatched to work with Google to develop a Covid-19 exposure tracking platform and move their entire developers conference online. 
    Apple is not a small indie company.
    bulk001
  • Reply 9 of 9
    bulk001bulk001 Posts: 780member
    Rayz2016 said:
    viclauyyc said:
    genovelle said:
    That seems unreasonable considering the fact that he notified them in the middle of a Pandemic when resources and developers were dispatched to work with Google to develop a Covid-19 exposure tracking platform and move their entire developers conference online. 
    You know something call work from home? 

    Apple has tens of thousands of engineers, find a couple of them to deal with the problem will not be that hard. Also, Apple is selling for security of their products these days. Shouldn’t they put a little more resources to handle it? April to next January is 9 months, no matter how you look at it, it is a very long time for a security patch.  
    The problem here is that you have no idea how many engineers Apple has, how many of them work on the Web Share API, how many other apps rely on the Web API, the level of testing involved in the fix, the other higher-priority bugs in front of this minor problem in the queue, how many other projects would be affected by dropping everything to fix this, or anything at all about some software development. 
    They are the world’s most valuable company. If they don’t have enough engineers or programmers they can hire some more. Instead of making excuses for them, expect more, not less!
Sign In or Register to comment.