Apple declines to fix vulnerability in Safari's Web Archive files, likely because it requires user action to exploit

Apple declines to fix vulnerability in Safari's Web Archive files, likely because it requires user action to exploit | iMore.com Skip to main content Android BlackBerry iPhone / iPad Windows Phone webOS SIGN UP|LOG IN iMore Forums Apps Games Accessories Reviews How-To Podcasts Contests iPhone iPad mini iPad iPod touch Apple TV iOS iCloud iTunes Mac Hot: iPhone 5S Guides: iPhone buyers | iPad buyers | iOS users Free: Wallpaper | iPhone apps, games | iPad apps, games Shop Online Cases Chargers Screen protectors Headsets & More Free shipping on orders over $50 Apple declines to fix vulnerability in Safari's Web Archive files, likely because it requires user action to exploit By Nick Arnott, Sunday, Apr 28, 2013 a 9:48 am 2

Metasploit software developer Joe Vennix has detailed a vulnerability in Safari’s webarchive file format along with how it can be exploited. The post on Rapid7 says that after being reported to Apple back in February, the bug was closed last month with a status of “wontfix”, indicating that Apple has no plans to address the bug. So what is it and why is that?

In Safari, if you go to save a web page, one of the options for the format to use is Web Archive. In many browsers when you save a web page locally, it only consists of the HTML source code itself. This means that any images, embedded videos, linked stylesheets or JavaScript will be lost. When you open a copy of the locally saved page, it will be missing all of the additional content, often not showing much more than text from the page and broken images. Safari’s Web Archive format works by not only saving the HTML of the page, but any linked content. When you open a Web Archive file, you will see the page as it would have originally appeared on the Internet, with all images, styling, and linked content preserved.

The bug found in Safari’s security model is a lack of restriction on what data can be accessed by files in a web archive. Normally a page like apple.com would be restricted to reading cookies that belonged to only the apple.com domain. It could not read cookies from another domain, such as gmail.com. This is critical because if all of your cookies were readable by any website, it would be trivial for a malicious site to send your cookies back to an attacker, who could then log in to your accounts on any number of websites. In the case of Safari’s web archives, it’s possible for a malicious web archive to not only access content stored by another site, but potentially any file on the victim’s computer.

With such a serious sounding vulnerability, you might be wondering why Apple wouldn’t want to fix it. The answer seems to be that an exploit like this cannot be accomplished without user action. You couldn’t actually be affected by this unless you were to download and open a malicious .webarchive file. Users can avoid being attacked by employing the age old advice of not opening strange files from the Internet (or anywhere else for that matter). That said, some people still do and surely will continue to do so. Given the potential impact of a vulnerability like this on users, it certainly seems like something Apple would want to fix at some point.

If you’re interesting in understanding more about how this bug works or can be exploited, Joe’s blog post covers several real world examples of how it could be used.

Source: Rapid7

Nick Arnott

Security editor, breaker of things, and caffeine savant. Writes on neglectedpotential.com about QA & security, and as @noir on Twitter about nothing in particular.

More Posts

 

7 5 75 0 More of: Featured, News
More of: Security, Safari, web archive ? PreviouslyWhat do you want to see in iMore app 3.0? Next up ?Editor's desk: #TM13 There are 2 comments. Add yours. Dev from tipb says: Apr 28, 2013 at 11:36 am - 2 days ago

Other concerns aside for the moment, is the version of webarchive used in iTunes LP and extras vulnerable? If so, this seems like a mistake to leave open, as most people do not know the format is in use there, nor does it seem wise to for Apple to trust only pre-store inclusion scanning.

Reply asuperstarr says: Apr 29, 2013 at 1:18 am - 2 days ago

Well lets hope they work it out.

Reply Contact iMoreSEND US NEWS  |  SUBMIT AN APP

Follow iMore(function(d, s, id) { var js, fjs = d.getElementsByTagName(s)[0]; if (d.getElementById(id)) return; js = d.createElement(s); js.id = id; js.src = "//connect.facebook.net/en_US/all.js#xfbml=1&appId=213678485361751"; fjs.parentNode.insertBefore(js, fjs);}(document, 'script', 'facebook-jssdk'));

Follow @iMore!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="//platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");


Facebook
Twitter
Google+
RSS
YouTube
iTunes Shop iMore

THE #1 ACCESSORY STORE | 2 MILLION+ ORDERS SHIPPED

Browse All Accessories Cases and Skins Chargers Cradles Bluetooth Headsets Screen Protectors See all accessories Browse Accessories For Your Phone iPhone 5 Cases Chargers Car Kits & more iPhone 4S Cases Chargers Car Kits & more The new iPad Cases Chargers Screen Care & more iPhone 4 Cases Chargers Car Kits & more iPad 2 Cases Chargers Screen Care & more iPhone 3GS Cases Chargers Car Kits & more Shop iMore

THE #1 ACCESSORY STORE | 2 MILLION+ ORDERS SHIPPED

View All Devices STORE AD CONTENT Download iMoreiMORE APP  |  iMORE FORUMS  |  MOBILE NATIONS

Watch iMoreMORE SHOWS  |  MORE VIDEOS

Tell iMore Team iMore
Rene
Georgia
Leanna
Chris
Ally
Simon
Chris
Michelle
ABOUT iMORE

Wear iMoreORDER YOUR T-SHIRTS NOW!

Mobile Nations YouTube Channel Follow Us on Twitter Join us on Facebook Mobile Nations RSS Feed 13,102,764 Readers Per Month Mobile Nations brings you the very best of Android Central,
CrackBerry, iMore, webOS Nation, and WPCentral   Easyjet app update brings mobile boarding passes and Passbook supportThor 2: The Dark World hits theaters this fall, but you can get lots of great Thor stuff from iTunes right nowBlackBerry CEO supposedly says dumb things about the future of tablets, but what are the smart things?Currency for iPhone review: Convert between currencies on the goFeed Wrangler aims to make you forget about Google Reader, make RSS easier with Smart Streams, filters, and more   HTC dropping HTC Watch support for 6 countries in Europe come May 31Google I/O 2013 session schedule now availableMadfinger Games bringing titles to OUYA, Moga and Gamestick this yearGoogle releases Glass intro video to help us all get startedMophie announces Juice Pack for the HTC One, on sale now for $99.95 I highly doubt Thorsten Heins thinks the tablet market will dieTELUS BlackBerry Q10 unboxingLinkedIn v2.2 for BlackBerry OS smartphones brings BBM integration and company pagesPopcornFlix arrives for BlackBerry 10 - Watch free movies on your BlackBerry smartphoneBlackBerry Q10 and the Mercedes AMG Petronas car team up in the latest round of promo videos IM+ gets bumped for Windows Phone 8 & Indigo gets some minor improvements tooApply even more cool effects to images with the new Nightshot filter in Nokia's #2InstaWithLoveBoth Tumblr and NBC News updated, anything new?A behind the scenes look at the "Don't fight. Switch" Windows Phone adAT&T is giving you at least $100 for your old smartphone App Giveaway: Othello StockWatchLast call! Verizon Pre3 60-second video entries close tomorrowMonday Brief: WWDC sells out, BlackBerry Q10 review and the Samsung Galaxy S4 has arrivedPhoenix teams up with OpenMobile to Kickstart the ACL for TouchPadIsis Web doesn't bring new WebKit to the TouchPad, but it's still betterThis is the WindsorNot - the webOS slate smartphone that never was   iPhone / iPad ForumsAndroid ForumsBlackBerry ForumsWindows Phone ForumswebOS Forums Copyright 2013 Mobile Nations ? Terms and Conditions ? Privacy Policy

View the original article here