Apple Doesn’t Want to Fix Safari Bug That Can Be Exploited to Steal User Passwords

The company is relying on the fact that user interaction is required to exploit the flaw

By on April 26th, 2013 14:53 GMT

Security researchers from Rapid7 have identified a vulnerability in the Safari web browser that could be exploited by cybercriminals for a number of malicious tasks. However, Apple doesn’t plan on fixing the issue because the attack requires user interaction. 

The flaw in question, a Universal cross-site scripting (UXSS) issue, plagues the security model behind the .webarchive file format – used to save all the resources from a webpage into a single file.

For the attack to work, the cybercriminal must send victims a maliciously crafted webarchive file and convince them to manually open it.

Apple relies on the fact that users are presented with a warning which informs them that the “content was downloaded from a webpage,” before they open the file.

On the other hand, experts say that “this is a potentially dangerous decision,” especially since there are numerous attack vectors.

Cybercriminals can abuse this UXSS to steal user cookies, CSRF tokens, saved passwords, local files, and they can even store poisoned JavaScript in the cache.

Since there’s no fix for the issue, Rapid7 advises users to avoid opening .webarchive files.
.webarchive vulnerability can be exploited against Safari users
   .webarchive vulnerability can be exploited against Safari users
MORE ON THIS TOPIC
LATEST NEWS
HOT RIGHT NOW

1 Comment