Bug 215842

Summary:

Web Share allows for inadvertently sharing of local files

Product:

WebKit

Reporter:

Thomas Steiner <tomac>

Component:

New Bugs

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED DUPLICATE

Severity:

Major

CC:

timothy

Priority:

Version:

Safari Technology Preview

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
macOS Messages	none

Thomas Steiner

Reported 2020-08-26 00:51:37 PDT

Created attachment 407280 [details] macOS Messages Full credits: https://blog.redteam.pl/2020/08/stealing-local-files-using-safari-web.html Below are the steps to reproduce the issue: 1. Visit https://overflow.pl/webshare/poc1.html using Safari or Mobile Safari 2. Click “Share it with friends!” 3. Select the method (e.g. Mail, Messages) 4. “Send it” or “Share it” (or just inspect what has been attached) 5. Local /etc/passwd has been sent to the recipient This works on both iOS (still as of iOS 14 beta 6) and macOS, tested on Safari Release 112 (Safari 14.0, WebKit 15610.1.25.5.1). Gmail (or Safari?) does some renaming of the shared file without user intervention (see https://user-images.githubusercontent.com/145676/91273520-ad247f80-e77d-11ea-973d-ebd2b4337bf7.png), whereas Messages and Mail seem to use the original file name. Related spec issue: https://github.com/w3c/web-share/issues/173.

Attachments
macOS Messages (67.57 KB, image/png) 2020-08-26 00:51 PDT, Thomas Steiner	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Timothy Hatcher

Comment 1 2020-08-26 09:07:12 PDT

*** This bug has been marked as a duplicate of bug 215823 ***

Note You need to log in before you can comment on or make changes to this bug.