Security researchers at REDTEAM.PL in Poland have revealed a security bug present in Safari affecting both iOS & REMOVE ADS macOS after Apple told them to wait minimum 1 year for a fix. The researchers found and reported the safety issue on Apr 17 to Apple and within 4 days Apple acknowledged the safety issue in Safari & said that the corporate would investigate.
But then Apple went missing in action. The researchers continued to succeed in bent Apple for an update over 4 month and Apple simply didn’t reply. Unhappy with the response, the researchers said that they might publish the safety flaw publicly after Aug 24 if Apple didn’t respond by then.
To this, Apple responded by asking them to not publish the small print as they decide to address the difficulty within the Spring 2021 security update. That’s like 1 year plus the 4 months that the researchers had to wait for a response after acknowledged the difficulty .
On Aug 17, the researchers replied that “waiting with the disclosure for nearly a further year, while 4 months have already got passed since reporting the difficulty isn’t reasonable” and on Aug 24 they published the flaw.
As per the researchers, this security flaw can potentially leak data of users. While accepting that the difficulty isn’t a serious one, the researchers weren’t happy that a flaw which will potentially leak data isn’t given much importance by Apple.
As reported by AppleInsider, user’s data are often leaked if he shares a link from the Safari browser via 3rd-party application just like the mail app or messaging app.
“The problem isn’t very serious as user interaction is required, however it’s quite easy to form the shared file invisible to the user. The closest comparison that involves mind is clickjacking as we attempt to convince the unsuspecting user to perform some action,” they added.
This bug affects iOS (13.4.1, 13.6), macOS Mojave 10.14.16 with Safari 13.1 (14609.1.20.111.8) & macOS Catalina 10.15.5 with Safari 13.1.1 (15609.2.9.1.2).