A new security breach found in iOS 13 and macOS Catalina can lead anyone to get the user’s navigation history in Safari. Due to an unexpected behavior, Safari Web Share API is able to access internal system files such as the browsing history database, which can be easily shared through other apps.
As explained by the specialized cybersecurity blog Redteam.Pl, hackers can implement a modified button with the Safari Web Share API to request internal operating system files that are not accessible by the user.
If you’re not familiar with the Web Share API, it enables apps and websites to offer what is called a “Share Sheet,” allowing users to easily share web content with others through apps like Mail, Messages, and more. When you tap a Share button, it shares a defined URL or file.
Redteam.Pl found that, for some unknown reason, anyone can easily add the Safari Web Share API to a webpage with code to request internal files with sensitive information by using “file:” scheme.
They pointed the Share button to the system’s History.db file, which contains the user’s entire browsing history in Safari. In a normal condition, this file should be inaccessible to users, but the Web Share API can read it and send it through other apps. Once this file is sent to another person, it can be opened by any app that manages SQLite databases.
The result is something like what you can see in the tweet below:
However, while this security breach can easily be explored by someone with basic knowledge of HTML code, it requires tricking the user since the gathered file is not automatically sent to other people. With just a simple code, the attached file is shown far below the regular Mail compose view, so most users wouldn’t notice that they’re sending their browsing history to someone else.
The most difficult part, of course, is convincing the user to send an email or message with that file to a specific address.
Redteam.Pl researchers contacted Apple in April this year to report the security breach, and the company confirmed that it is investigating the issue without further details. 9to5Mac was able to reproduce the code and we can confirm that it works as described.
However, we haven’t been able to reproduce it on any device running iOS 14 or macOS Big Sur, which suggests that Apple has already fixed this breach with its latest beta releases. Apple has yet to confirm whether the issue will be fixed for users running older versions of iOS and macOS, as iOS 14 and macOS Big Sur are only expected to be available to the public this fall.
You can read more in-depth details about it on Redteam.Pl’s website.
FTC: We use income earning auto affiliate links. More.