215842 – Web Share allows for inadvertently sharing of local files

Bug 215842 - Web Share allows for inadvertently sharing of local files

Summary: Web Share allows for inadvertently sharing of local files

Status:	RESOLVED DUPLICATE of bug 215823

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	New Bugs (show other bugs)
Version:	Safari Technology Preview
Hardware:	Unspecified Unspecified

Importance:	P2 Major
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-08-26 00:51 PDT by Thomas Steiner
Modified:	2020-08-26 09:07 PDT (History)
CC List:	1 user (show)

See Also:

Attachments
macOS Messages (67.57 KB, image/png) 2020-08-26 00:51 PDT, Thomas Steiner	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Steiner 2020-08-26 00:51:37 PDT

Created attachment 407280 [details]
macOS Messages

Full credits: https://blog.redteam.pl/2020/08/stealing-local-files-using-safari-web.html

Below are the steps to reproduce the issue:

1. Visit https://overflow.pl/webshare/poc1.html using Safari or Mobile Safari 
2. Click “Share it with friends!”
3. Select the method (e.g. Mail, Messages)
4. “Send it” or “Share it” (or just inspect what has been attached)
5. Local /etc/passwd has been sent to the recipient

This works on both iOS (still as of iOS 14 beta 6) and macOS, tested on Safari Release 112 (Safari 14.0, WebKit 15610.1.25.5.1). 

Gmail (or Safari?) does some renaming of the shared file without user intervention (see https://user-images.githubusercontent.com/145676/91273520-ad247f80-e77d-11ea-973d-ebd2b4337bf7.png), whereas Messages and Mail seem to use the original file name.

Related spec issue: https://github.com/w3c/web-share/issues/173.

Comment 1 Timothy Hatcher 2020-08-26 09:07:12 PDT


*** This bug has been marked as a duplicate of bug 215823 ***