iPhone flaw lets hackers steal your personal data — don't do this in Safari

iPhone 11 Pro
(Image credit: Shutterstock)

An unpatched flaw in the Apple Safari browser lets hackers steal your browsing history, bookmarks, downloads or any other file that Safari can access, a Polish security researcher claims. The problem seems to exist on both Macs and iPhones.

Pawel Wylecial, who has a company called REDTEAM PL, wrote in a blog post yesterday (Aug. 24) that a feature called Web Share does a bit of oversharing in Safari. He said he told Apple of the flaw in April of this year, but because the company has decided not to fix the issue until the spring of 2021, Wylecial decided to go public.

Wylecial described this flaw as "not very serious," but some good social engineering could easily trick Apple users to give up their personal data by luring them to malicious websites.

How easy? Wylecial created a proof-of-concept demonstration that you can try yourself at https://overflow.pl/webshare/poc2.html. If you click on the button labeled "share it with friends!" under the cute kitten in Safari, you'll be prompted with a list of possible apps for delivery -- Messages, Mail and so on. 

Choose a recipient and send the link, but beware: The recipient will also get your browsing history. We can see how data thieves could trick users into sending links to strangers as well.

What not to do

To avoid falling victim to this sort of thing, don't use Web Share in Safari for the time being. If you want to share a link with friends, fall back on the tried 'n' true method of selecting the link in the browser address bar, copying it, opening up an email or messaging app and pasting it the body of the text.

We tried it ourselves 

We tested Wylecial's proof of concept on Chrome for Android and it didn't work. But we had another person open the link in Safari on her iPhone, click the "Share it with friends!" button and send the link to our Gmail account. We received a SQLite database of her browsing history.

We asked another person to test Wylecial's proof of concept on a Mac. However, the "Share it with friends!" button seemed to only work with Apple applications. As she didn't have Mail set up to handle her email (she uses Gmail and Outlook), we couldn't go any further, but we think we could have if Mail had been set up.

Web oversharing

Web Share lets browser users easily send browser links to friends via email or instant messages, but Wylecial says that Safari's implementation of Web Share doesn't check those links to see if there's anything else added. 

Wylecial discovered that if he appended a local filepath to the URL, the Safari Web Share function would copy the file as well as the URL and send both to the recipient of the Web Share.

Web Share is an open-source feature made available for all browsers, but according to the latest documentation, its only desktop implementation so far is on Safari for Macs. On mobile devices, Web Share is supported on Chrome, Opera and Samsung Internet for Android and on Safari for iOS. 

Tom's Guide has reached out to Apple seeking comment, and we will update this story should we receive a reply.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.