
Stealing local files using Safari Web Share API - doener
https://blog.redteam.pl/2020/08/stealing-local-files-using-safari-web.html
======
andreasley
"Apple replied asking not to publish the details as they plan to address the
issue in the Spring 2021 security update"

Besides the fact that I'm always torn if vulnerabilities should be published
if the vendor has committed to fixing them: I don't quite understand why a fix
can't make it into the next big release that's around the corner (macOS Big
Sur and iOS 14). Do large vendors really have such long development pipelines
that changing anything is impossible for months? Or do they just have
thousands of similarly serious issues and need to prioritize?

~~~
scintill76
If this an accurate representation of what Apple said, they have a _security_
update planned for ~6 months from now. What else are we needlessly vulnerable
to until then?

Signed, an iOS convert of 2 months :/

------
Spivak
Is there a use-case where this functionality is useful and non-malicious?

It seems that the protection against this attack is being able to recognize
that the file that's attached isn't the one that's intended but I think it's a
mistake for the local filename and any fs metadata to be preserved when
sharing by default. Sharing a file should mean sharing only the content of the
that file.

~~~
kevincox
I don't think there is a valid use case. It seems like they just weren't
validating the resource well enough.

Reminds me of the somewhat recent mailto:?attachment=/etc/password bug
reappearance [https://gitlab.freedesktop.org/xdg/xdg-
utils/-/issues/177](https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/177)

