Image: REDTEAM.PL

A security researcher has published details today about a Safari browser bug that could be abused to leak or steal files from users’ devices.
The bug was discovered by Pawel Wylecial, co-founder of Polish security firm REDTEAM.PL.
Wylecial initially reported the bug to Apple earlier this spring, in April, but the researcher decided to go public with his findings today after the OS maker delayed patching the bug for almost a year, to the spring of 2021.
How does the bug work
In a blog post today, Wylecial said the bug resides in Safari’s implementation of the Web Share API — a new web standard that introduced a cross-browser API for sharing text, links, files, and other content.
The security researcher says that Safari (on both iOS and macOS) supports sharing files that are stored on the user’s local hard drive (via the file:// URI scheme).
This is a big privacy issue as this could lead to situations where malicious web pages might invite users to share an article via email with their friends, but end up secretly siphoning or leaking a file from their device.
See the video below for a demonstration of the bug, or play with these two demo pages that can exfiltrate a Safari user’s /etc/passwd or browser history database files.
[embedded content]
Wylecial described the bug as “not very serious” as user interaction and complex social engineering is needed to trick users into leaking local files; however, he also admitted that it was also quite easy for attackers “to make the shared file invisible to the user.”
Recent criticism of Apple’s patch handling
However, the real issue here is not just the bug itself and how easy or complex it is to exploit it, but how Apple handled the bug report.
Not only did Apple fail to have a patch ready in time after more than four months, but the company also tried to delay the researcher from publishing his findings until next spring, almost a full year since the original bug report, and way past the standard 90-days vulnerability disclosure deadline that’s broadly accepted in the infosec industry.
Situations like the one Wylecial had to face are becoming increasingly common among iOS and macOS bug hunters these days.
Apple — despite announcing a dedicated bug bounty program — is increasingly being accused of delaying bugs on purpose and trying to silence security researchers.
For example, when Wylecial disclosed his bug earlier today, other researchers reported similar situations where Apple delayed patching security bugs they reported for more than a year.

For two of my bugs they’ve told me same thing that it will be fixed on “Fall of 2020” and yesterday I ask for the update. They replied it’s not a bug 😅
— Nikhil Mittal (@c0d3G33k) August 24, 2020

When in July, Apple announced the rules of the Security Research Device program, Google’s vaunted Project Zero security team declined to participate, claiming that the program rules were specifically written to limit public disclosure and muzzle security researchers about their findings.
Three months before, in April, another security researcher also reported a similar experience with Apple’s bug bounty program, which he described as “a joke,” describing the program’s goal as trying “to keep researchers quiet about bugs for as long as possible.”

The industry standard for disclosure of security issues is 90 days. We’re well beyond that point now. Why should I not publish?
— Jeff Johnson (@lapcatsoftware) April 21, 2020

An Apple spokesperson acknowledged our request for comment earlier today but said the company wouldn’t be able to comment, as it needed to investigate further. More

<!–> amgun/Getty Images DevSecOps – like its fraternal twin, DevOps – has been a process in play for several years now in software shops, intended to enable more collaborative and intelligent workflows. Now, AI is poised to add more juice to these efforts – but many are still skeptical about its implications. Also: AI brings […] More

Privacy has become a priority for virtually every company regardless of size, vertical, and geography. Privacy regulations have popped up around the world, including Europe, the US, and China. India will soon be added to the list. Rising customers’ and employees’ privacy expectations are also converging to force businesses to prioritize privacy and will keep doing so in the future. Companies are responding by maturing their privacy programs, developing best practices, and sharpening their respective toolkits. Companies are investing in privacy 

According to Forrester survey data, most companies worldwide have adopted a formal privacy program and have a chief privacy officer (CPO) in place. Half of these CPOs report directly to the company’s CEO. While privacy programs are primarily set up to deliver on compliance requirements, one of the key benefits companies report as a result of their program is increased customer trust. With the volume of individuals’ privacy rights requests on the rise, new requirements being discussed, and emerging risks to tackle, privacy decision-makers expect to increase their privacy budgets in the next 12 months. The appetite for adopting new technology is also rising. While most teams are still relying on spreadsheets to manage their programs, privacy teams are progressively investing in more sophisticated and automated technology to support their efforts. Encryption is one of the main technologies being implemented today. Privacy-preserving technologies, as well as software for privacy training, top the list of new tools privacy decision-makers are planning to adopt in the next future. The reliance on automated technology helps privacy organizations perform better. However, to solve their most significant challenges, they need to think about processes, governance, and policies on top of technology. And they need to establish strategic collaboration with others in the organization. In fact, when asked about the biggest challenges to effectively protect the personal data of their customers and/or employees, most privacy decision-makers reported that the fear of worsening the experience of their customers and/or employees is their biggest challenge. Also: Privacy predictions for EuropeEmployee privacy expectations are greater than most assume Companies have learned that EX — the employee experience — directly influences the quality of their customer experience (CX). As such, they are prioritizing efforts to improve their EX. But employee privacy is still too often left out from the list of key EX — and privacy — initiatives. This is a mistake. How companies treat their personal information has a significant impact on how employees feel about and trust their employers and on how they perform. Employees have strong privacy expectations at work. In fact, data from Forrester’s new Privacy Segmentation shows that as many as 72% of employees globally do not want their personal data used as part of workforce analytics projects without their consent. Additionally, more than half wish they had more privacy protections in the workplace. About the same number take active measures to limit the amount of personal data they share with their employers. 

Companies and their privacy leaders must learn how their employees feel about their personal data at work and develop privacy practices that meet these expectations. Those that understand employee privacy only as a compliance requirement should upgrade their existing practices to address employees’ privacy attitudes beyond mere compliance. Compliance is the floor, not the ceiling. And those that have existing strong employee privacy practices in place must ensure that they continuously improve them to align with changing employee privacy expectations. Organizations can help empower employees with privacy at home 

Employee privacy concerns and interests intersect with their personal lives. The lines start to blur between work and home as companies move to an anywhere work model and have a remote workforce. Companies will have a ceiling when it comes to applying cybersecurity controls that reach into the home. Employees have expectations of privacy; employers have liability concerns, and privacy and labor laws are non-negotiable. To keep privacy top of mind and engage your workforce, you can be a resource for information to empower your employees to level up their personal privacy posture. For example, point to how a credit freeze can help prevent identity theft. This can also include education about tools like VPNs and identity theft monitoring and protection services. You can also highlight privacy and anti-surveillance tools. For example, email and credit card masking tools like Abine and MySudo; secure messaging apps like Signal; and popup blockers and script blockers like Adblock, Ghostery, NoScript, and uBlock Origin. Many ISPs also offer home cybersecurity services today as well. These services are typically delivered via the home router and include capabilities like network and device security, Wi-Fi/network management and optimization, parental controls, and privacy features. Concierge cybersecurity and privacy services like BlackCloak and Cypient Black will take a tailored approach to protect individuals (typically executives and VIPs) from targeted attacks aimed at their home environment. Also: Software development will adapt to a new normalWhile technologies and services can help, privacy-minded behaviors and habits will have the most day-to-day impact. Forrester data shows that US online adults’ common actions to protect their privacy include clearing Internet browsing history and adjusting permissions for specific apps. This is where an organization’s efforts to update and invest in their privacy awareness training programs will help to empower employees the most. This post was written by Principal Analysts Enza Iannopollo and Heidi Shey, and it originally appeared here. More

Google / Elyse Betters Picaro / ZDNETFollow ZDNET: Add us as a preferred source More

The iPhone Plus model (pictured) may potentially be replaced by the iPhone Air/Slim. Kerry Wan/ZDNETFollow ZDNET: Add us as a preferred source More