Security Researcher founded a Bug in Safari Browser
A security researcher Pawel Wylecial, also a co-founder of Polish security firm REDTEAM.PL has discovered the bug. Earlier, in April, Pawel Wylecial reported about the bug, but there was no solution. So the researcher uploaded the post with his findings. However, the OS maker delayed for fixing the bug. In a blog post, the researcher wrote that the bug stays in Safari’s Web Share API. It allows the users to share links, files, and other content from the browser via third-party apps. Safari is supported on both iOS and macOS, which supports sharing files which are stored on the local hard drive. This is a big problem with privacy as this can allow the malicious web pages to invite the users to share an article via email. But in the end, they secretly leak a file from their device. However, Wylecial researcher said that the bug is not very serious. As the user interaction and complex social engineering is needed to trick the users to leak the local files. But he also said that the attackers could easily make the user share file. Now, the main problem is not only the bug, but the issue is how Apple handled the bug report. Apple has already failed to have a patch ready, and the company also tried to delay the researcher from publishing his finding. The Situations which Wylecial has faced are becoming common among iOS and macOS bug hunters. As, when the researcher revealed about the bug, all other researchers also reported the same issue where Apple delayed about fixing the bugs which they reported a year ago. In July, Apple has announced the rules of the Security Research Device program, to which Google’s Vaunted Project Zero security team did not participate. The team said the program rules were written to limit public confession and muzzle security researchers about the findings. In April, another researcher reported about the same thing with Apple’s bug bounty program, to which he said “a joke”.
— Nikhil Mittal (@c0d3G33k) August 24, 2020
It’s a joke. I think the goal is just to keep researchers quiet about bugs for as long as possible. — Jeff Johnson (@lapcatsoftware) April 21, 2020