14 DAY TRIAL // Security researchers from Rapid7 have identified a vulnerability in the Safari web browser that could be exploited by cybercriminals for a number of malicious tasks. However, Apple doesn’t plan on fixing the issue because the attack requires user interaction.
The flaw in question, a Universal cross-site scripting (UXSS) issue, plagues the security model behind the .webarchive file format – used to save all the resources from a webpage into a single file.
For the attack to work, the cybercriminal must send victims a maliciously crafted webarchive file and convince them to manually open it.
Apple relies on the fact that users are presented with a warning which informs them that the “content was downloaded from a webpage,” before they open the file.
On the other hand, experts say that “this is a potentially dangerous decision,” especially since there are numerous attack vectors.
Cybercriminals can abuse this UXSS to steal user cookies, CSRF tokens, saved passwords, local files, and they can even store poisoned JavaScript in the cache.
Since there’s no fix for the issue, Rapid7 advises users to avoid opening .webarchive files.