Bug 215842

Summary:

Web Share allows for inadvertently sharing of local files

Product:

WebKit

Reporter:

Thomas Steiner <tomac>

Component:

New Bugs

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED DUPLICATE

Severity:

Major

CC:

timothy

Priority:

Version:

Safari Technology Preview

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
macOS Messages	none

Description Thomas Steiner 2020-08-26 00:51:37 PDT

Created attachment 407280 [details]
macOS Messages

Full credits: https://blog.redteam.pl/2020/08/stealing-local-files-using-safari-web.html

Below are the steps to reproduce the issue:

1. Visit https://overflow.pl/webshare/poc1.html using Safari or Mobile Safari 
2. Click “Share it with friends!”
3. Select the method (e.g. Mail, Messages)
4. “Send it” or “Share it” (or just inspect what has been attached)
5. Local /etc/passwd has been sent to the recipient

This works on both iOS (still as of iOS 14 beta 6) and macOS, tested on Safari Release 112 (Safari 14.0, WebKit 15610.1.25.5.1). 

Gmail (or Safari?) does some renaming of the shared file without user intervention (see https://user-images.githubusercontent.com/145676/91273520-ad247f80-e77d-11ea-973d-ebd2b4337bf7.png), whereas Messages and Mail seem to use the original file name.

Related spec issue: https://github.com/w3c/web-share/issues/173.

Comment 1 Timothy Hatcher 2020-08-26 09:07:12 PDT


*** This bug has been marked as a duplicate of bug 215823 ***