Computer Security Apple Turns Other Cheek to Fixing Exploited Safari Bug...

Apple Turns Other Cheek to Fixing Exploited Safari Bug Used to Steal Passwords

apple safari exploit bugApple stands firm on their stance to evade efforts to repair a Safari bug that may be exploited to steal user passwords.

A flaw within a universal cross-site scripting (UXSS) issue is in question as a vulnerability in Apple's Safari browser identified by security researchers from Rapid7 was discovered. This particular flaw behind the .webacrchive file format happens to require specific direct user interaction before it leads to revealing saved passwords within the UXSS infrastructure.

Apple is relying on the fact that users are presented with a warning informing them that the "content was downloaded from a webpage before they open the file." This 'reasoning' is more than likely why Apple has chosen not to repair the Safari bug. Maybe Apple is preoccupied with conjuring up the next iPhone or iPad.

Security researchers mostly agree that this 'decision' by Apple is potentially dangerous as there are a number of different attack vectors that could initiate abuse of the UXSS to steal user cookies. Additionally, other aspects of what the Safari browser saves, such as CSRF tokens, local files, JavaScript and saved passwords, could be abused by cybercriminals.

Having no patch or fix for this Safari Bug really leaves those who may go through the exact steps required to make their system vulnerable to an attack out in the cold. Security experts, for now, are advising users of Safari to avoid opening .webarchive files altogether.

Loading...