Researcher reveals Safari data leak bug after Apple delays patch to 2021
Researcher Pawel Wylecial on Monday revealed a Safari bug after being told by Apple that an incoming patch would have to wait until spring 2021.
Wylecial, who founded Polish research group REDTEAM.PL, first discovered and informed Apple of the issue in April, noting the flaw can leak user information and be leveraged to steal data on both iOS and Mac, according to a blog post Monday.
The bug is rooted in Apple's Web Share API, a new standard that enables sharing of links, files and other data from a browser via third-party applications, reports ZDNet. According to Wylecial, Apple's implementation supports the
Wylecial characterizes the issue as low risk because user interaction is required to facilitate the potential data leak. He does note, however, that users may be unaware that they are sharing local data, as the attached files can be made largely "invisible" during the process.
As pointed out by ZDNet, a more pressing problem is Apple's handling of the bug report.
Apple acknowledged that it was analyzing the issue about a week after it took receipt of Wyliecial's initial alert, but multiple follow-up requests for status updates were left unanswered.
Wylecial in early August informed the company that the bug would be disclosed publicly on Aug. 24. Apple asked to withhold an announcement, saying the problem would be addressed in a spring 2021 security update. Finding the proposed timeline unreasonable, Wylecial opted to detail the bug on his blog.
Wylecial, who founded Polish research group REDTEAM.PL, first discovered and informed Apple of the issue in April, noting the flaw can leak user information and be leveraged to steal data on both iOS and Mac, according to a blog post Monday.
The bug is rooted in Apple's Web Share API, a new standard that enables sharing of links, files and other data from a browser via third-party applications, reports ZDNet. According to Wylecial, Apple's implementation supports the
file:
scheme, meaning shared messages can in some cases include files from the local system. Wylecial characterizes the issue as low risk because user interaction is required to facilitate the potential data leak. He does note, however, that users may be unaware that they are sharing local data, as the attached files can be made largely "invisible" during the process.
As pointed out by ZDNet, a more pressing problem is Apple's handling of the bug report.
Apple acknowledged that it was analyzing the issue about a week after it took receipt of Wyliecial's initial alert, but multiple follow-up requests for status updates were left unanswered.
Wylecial in early August informed the company that the bug would be disclosed publicly on Aug. 24. Apple asked to withhold an announcement, saying the problem would be addressed in a spring 2021 security update. Finding the proposed timeline unreasonable, Wylecial opted to detail the bug on his blog.
Comments
In good software development organizations there is a process for triaging all bugs. It's usually driven by an algorithm of sorts, like a failure mode effects analysis (FMEA) applied to software. People who understand the code, people who understand the functional impact of the bug, and people who understand the customer impact all weigh in on prioritizing the work needed to fix a bug so it can be prioritized against ALL other work that is on the team's plate. By design all security and privacy related bugs get bumped up in priority by default, but there's always going to be more tasks queued up within a certain time window than there are qualified people to work on the tasks. That's just a fact of life and making everything the "top priority" doesn't solve anything when you have to deal with time, people, and for some organizations, financial constraints.
Bottom line is that Apple didn't pull the Spring 2021 estimate out of their ass. It came from an analytical process. I understand that the bug discoverer wants to get recognition and at some level feels that Apple doesn't have the same sense of urgency that he has about this bug. I get it. But he doesn't have the same visibility that Apple has over the entire process and Apple has to make difficult and unpopular choices every day of the week. He has no knowledge of what else is on Apple's plate. That's the definition of triage. The net result here is that the bug discoverer is putting his own concerns, which are not entirely self serving, above the bigger picture - which is solving the problem. He may be unhappy, and Apple is probably pissed off, but the real losers here are Apple's customers because the grandstanding elevates the probability that someone will exploit this issue before Apple can fix it. Our lives are now worse off because of the disclosure, whether or not it was done in spite or with good intentions. Because the bug discoverer knew exactly where Apple was in their response, I'd lean more towards the spiteful motivation.
Apple are the “most valuable” company on the planet, with extensive resources and deep pockets. It’s also a “popular” employer. The perpetuation of software flaws in every Apple product has long gotten out of bounds of acceptability. Since 2013, it’s been getting worse and worse. They’ve had years to put better practices into place, and they only recently addressed a development practice where new code got checked in too rapidly??
Sorry, not on Apple’s side here; maybe next issue.