Metasploit software developer Joe Vennix has detailed a vulnerability in Safari’s webarchive file format along with how it can be exploited. The post on Rapid7 says that after being reported to Apple back in February, the bug was closed last month with a status of “wontfix”, indicating that Apple has no plans to address the bug. So what is it and why is that?
The bug found in Safari’s security model is a lack of restriction on what data can be accessed by files in a web archive. Normally a page like apple.com would be restricted to reading cookies that belonged to only the apple.com domain. It could not read cookies from another domain, such as gmail.com. This is critical because if all of your cookies were readable by any website, it would be trivial for a malicious site to send your cookies back to an attacker, who could then log in to your accounts on any number of websites. In the case of Safari’s web archives, it’s possible for a malicious web archive to not only access content stored by another site, but potentially any file on the victim’s computer.
With such a serious sounding vulnerability, you might be wondering why Apple wouldn’t want to fix it. The answer seems to be that an exploit like this cannot be accomplished without user action. You couldn’t actually be affected by this unless you were to download and open a malicious .webarchive file. Users can avoid being attacked by employing the age old advice of not opening strange files from the Internet (or anywhere else for that matter). That said, some people still do and surely will continue to do so. Given the potential impact of a vulnerability like this on users, it certainly seems like something Apple would want to fix at some point.
If you’re interesting in understanding more about how this bug works or can be exploited, Joe’s blog post covers several real world examples of how it could be used.
We may earn a commission for purchases using our links. Learn more.
FAQ: TikTok & WeChat ban — why it’s happening and what it means for you
Are TikTok and WeChat really being banned? When does all of this take effect? Will I still be able to use these apps? All this and more answered in our FAQ regarding the latest U.S. orders.
Plan your day with Hour Blocks and its amazing iOS 14 Home screen widgets
Planning your day is no fun but sometimes you find an app that goes some way to making it less boring. Hour Blocks does a decent job and it looks lovely, too.
Scribble Together gets the coolest iOS 14 App Clip we've seen so far
Scribble Together has released its new App Clip for Scribble Together, which will allow users to collaborate on a Scribble Together whiteboard even if they don't have the app.
Pick the best Eufy RoboVac for you with our handy guide
Eufy makes some pretty compelling robotic vacuums and there are a lot to choose from. With a vast difference between the lower end, more affordable models and the smarter, connected, high end options, there are many factors to consider when deciding which model would be best for your household. We have compared the best of Eufy's RoboVac range here so you can find the right one for you.