The flaw, which Ryan Pickren reported to the Cupertino giants last summer, was patched earlier this month, while Pickren got to go home with a $100,000 bounty.
Explaining the end result to The Register, Picker said it grants the attacker "full access to every website you've visited in Safari, meaning that if you're visiting my evil website on one tab, and then your other tab, you have Twitter open, I can jump into that tab and do everything you can from that screen. So it does allow me to fully perform an account takeover on every website you visited in Safari."
Here’s how it works (as short of an explanation as it can be): Safari has a number of custom URI schemes, such as mailto:, s3:, and so on. One of them is called icloud-sharing:, and triggering it opens up ShareBear, an internal macOS app designed for document sharing via iCloud. A website, for example, can trigger it, and have Safari load content hosted elsewhere.
Running malicious webarchives
This wouldn’t be a problem, were it not for a simple fact that the downloaded files could later be altered by the author. So, a victim could download an innocent .PNG file, only to have it transform into a malicious webarchive file.
“In essence, the victim has given the attacker permission to plant a polymorphic file onto their machine and the permission to remotely launch it at any moment. Yikes. Agreed to view my PNG file yesterday? Well today it's an executable binary that will be automatically launched whenever I want,” Picker explained in a further blog post.
To fix the problem, Apple did two things: First - it made ShareBear just reveal downloaded files, rather than launch them, in macOS Monterey 12.0.1. Second - it patched Safari’s engine WebKit to stop downloaded webarchives from being opened.
- You might also want to check out our list of the best firewalls right now
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.