Sharing text, links or files isn’t just for apps. Websites can now also offer this type of functionality, thanks to the new Web Share API standard. This is obviously very convenient, as long as you do not implement this technology anyhow, like what Apple did with Safari.
A few months ago, the security researcher Pawel Wylecial discovered, in fact, that this browser allowed the sharing of “file:” type links, both on iOS and on macOS. This is a very bad idea, as it allows a hacker to trick someone into sharing a local file without them realizing it. The expert performed a video demonstration using the iOS Mail application. As you can see, the attached browsing history is hardly visible, thanks to the clever addition of a number of line breaks.
Unfortunately, there is no patch at this time. The researcher alerted Apple last April. The firm did not return until August 14, to say that the problem would be corrected … in the spring of 2021. A delay that the researcher finds totally absurd, which is why he has just published the technical details of this flaw . Not sure Apple will reward him …
Source : Pawel Wylecial blog note