Are you a Mac owner? Are you using the Safari browser to surf the web? If so, you could be vulnerable to an attack that allows malicious hackers to steal files from your computer.
A 13-inch Apple MacBook Air laptop computer (Photo by Simon Lees/MacFormat Magazine/Future via Getty Images)
Cybersecurity researchers at Warsaw-based Redteam discovered a flaw in the way Safari handles sharing actions. Click in Safari to share a cute kitten picture with a friend and you could unknowingly pass critical information about your system to an attacker.
In a blog post disclosing the vulnerability, Redteam co-founder Pawel Wylecial uses the /etc/passwd file as an example. That’s the plain-text file OS X uses to store information about all the user accounts on a Mac.
It’s definitely not the sort of information you’d want falling into the hands of a cybercriminal as it could be used against to facilitate a more sophisticated attack.
The situation is not as dire as it may seem at first. Wylecial notes that the vulnerability can’t be exploited without a would-be victim performing an action.
That said, malicious hackers have proven time and time again that tricking users into becoming unwilling participants in their attacks isn’t all that hard to do.
The proof-of-concept attack Redteam utilized is a form of clickjacking. In a clickjacking attack, a user is fooled into clicking or tapping on something without his or her knowledge.
Clickjacking was first identified as an issue nearly 20 years ago when researchers determined that a transparent layer could be placed over visible elements (like a ‘share’ button) on a web page. Clicks could then be ‘hijacked’ and used to interact with hidden elements on that layer.
It wasn’t considered a major threat until several years later. As the web evolved and we spent more time shopping, banking and interacting online clickjacking became a go-to hacking tool.
Redteam disclosed the Safari vulnerability to Apple in mid-April. After repeated follow-ups, the company eventually stated that a fix was being prepared for Spring 2021.
Believing that a year was not a reasonable amount of time to wait for the patch, Redteam opted to post its findings publicly. The ball is now in Apple’s court.
The company has been contacted for comment and this post will be updated with any response.