We have serious doubts that Apple needs an exterminator to visit its Cupertino headquarters. That’s because the company is pretty good about squashing its bugs in a timely manner.
That’s not to say that all Apple bugs go quietly. Sometimes the company requires a little bit of help finding its digital biggest threats. Tap or click here to see how Apple’s rival Google helped it eliminate a dangerous security flaw.
A newly discovered bug found in its Safari browser might end up putting a dent in Apple’s reputation for timely bug fixes, however. This bug could allow hackers to hijack a benign browser feature to steal files and private data – and it has yet to be patched. Here’s what you need to know before you share another link.
Sharing without caring
According to a bulletin posted by Polish security researcher Pawel Wylecial at REDTEAM.PL, an unusual bug was discovered in Apple’s Safari API that can let hackers take advantage of an otherwise harmless feature in order to steal sensitive files.
The bug in question deals a Safari feature that lets users share links, images, videos and other content across the web and with contacts.
Normally, this feature lets you share the items on your phone harmlessly. But a malicious actor could theoretically modify a sharing link in order to “steal” shared files. In other words, this means once you’ve shared a photo using one of these altered links, the file you sent is not the one you intended to.
To replicate the issue, REDTEAM.PL modified a link to extract a password document despite claiming to request a cat photo. This means that should someone make the mistake of clicking on this kind of link, it could lead to dangerous scenarios like web browser history or private system files getting extracted.
And to make matters worse, system dialogues in MacOS don’t always fully show the file being shared. This means a user could have their device robbed without realizing it.
Pawel reached out to Apple with evidence of the bug in April, but was shocked at how dismissive the company was about the issue. Because the glitch requires user interaction, it was dubbed “low priority.” Apple admits its working on a fix as we speak, but it won’t even be available until spring 2021.
Apple typically requests that bug bounty hunters wait to disclose their findings until Apple can formally address the issue. But due to this “unreasonable” timeline, Pawel took it upon himself to share his findings with the web at large.
What can I do in the meantime while I wait for Apple’s patch?
As of now, the best course of action is to only use the share link on your own using the icon in Safari that looks like a box with an arrow coming out of it. The glitch in question would require you clicking on a malicious link that prompts the share menu to open, so sharing from your phone’s menu on your own won’t be harmful at all.
That said, the fact that links like this can exist means it’s time to stop responding to menu prompts you encounter online. If a website instructs or requests that you share a file, assume that it’s a trap by default.
Otherwise, you may be surprised at what you could lose from your smartphone. Never forget: Your entire browsing history, your photos and your passwords could be at stake!