Recent security reports revealed that an unpatched Safari bug could be abused to allow hackers to steal user data from its target.
The Safari bug was first reported by Pawel Wylecial, who is also the co-founder of cybersecurity firm REDTEAM.PL. Mr. Wylecial said that he has already reported the bug to Apple way back in April. However, he decided to publicize the bug after Apple failed to patch it for more than a year.
According to Mr. Wylecial, the bug has something to do with the web browser’s Web Share API implementation. This is a web standard that allows the sharing of text, files, and other data using a new cross-browser API. The researcher said that the bug affects both the iOS and the macOS version of Safari.
When left unpatched, the bug can allow malicious users to siphon user data stored in their local storage. While this is a huge privacy concern, Mr. Wylecial said that the bug is not a serious threat. Complex social engineering skill is required to trick users into initiating the hack.
For the bug to be fully abused, the hacker must convince its target to open a compromised website. For average users, this is already an obvious hint that something malicious is going on.
However, since the bug is still unpatched, there is still the possibility of it being exploited. Hackers can always use complex social engineering schemes to trick people into this particular trap.
Apple’s patch policy
Although the bug poses a serious threat, many are blaming Apple for its lack of immediate response. Security experts are blaming the tech giant for its handling of the bug. Moreover, the lack of an immediate patch is also a major point of concern.
Apple failed to patch the bug after Mr. Wylecial initially reported it. What is even more worrisome is the fact that the company tried to delay the publication of the bug. The company plans to stretch the delay in the report by a full year after it was initially reported.
In the cybersecurity community, researchers usually give companies 90 days to patch a vulnerability that they have uncovered. Once this timeline is over, researchers report the bug into the public domain, whether it is patched or not. This is an extremely effective tactic, and tech companies usually comply with it.
Regarding this latest Safari bug, it is unclear as to when Apple plans to release a patch to it.
Featured image courtesy of AndriiKoval/Shutterstock