Created attachment 407280 [details] macOS Messages Full credits: https://blog.redteam.pl/2020/08/stealing-local-files-using-safari-web.html Below are the steps to reproduce the issue: 1. Visit https://overflow.pl/webshare/poc1.html using Safari or Mobile Safari 2. Click “Share it with friends!” 3. Select the method (e.g. Mail, Messages) 4. “Send it” or “Share it” (or just inspect what has been attached) 5. Local /etc/passwd has been sent to the recipient This works on both iOS (still as of iOS 14 beta 6) and macOS, tested on Safari Release 112 (Safari 14.0, WebKit 15610.1.25.5.1). Gmail (or Safari?) does some renaming of the shared file without user intervention (see https://user-images.githubusercontent.com/145676/91273520-ad247f80-e77d-11ea-973d-ebd2b4337bf7.png), whereas Messages and Mail seem to use the original file name. Related spec issue: https://github.com/w3c/web-share/issues/173.