An unpatched flaw in Apple's Safari browser allows hackers to steal browsing history, bookmarks, downloads, and any other files Safari can access, Polish security researchers claim The problem appears to exist on both Macs and iPhones

Pawel Wylecial, who runs a company called REDTEAM PL, wrote in a blog post yesterday (August 24) that a feature called Web Share does a bit of oversharing in Safari He informed Apple of the flaw in April of this year, but the company decided not to fix the problem until the spring of 2021, so Wylecial decided to go public

Wylecial described the flaw as "not that serious," but through clever social engineering, it is easy to lure Apple users to malicious websites and have them provide personal data

How easy: click on the button below the cute kitten in Safari that says "share it with friends!" and you'll be presented with a list of apps, including Messages and Mail, that can be delivered

Select a recipient and send the link, but beware: the recipient will also get your browsing history You can see how data thieves could trick users into sending links to strangers as well

To avoid this type of damage, do not use Web Share in Safari for the time being If you want to share a link with a friend, go back to the tried and true method of selecting the link in the browser address bar, copying it, opening an email or messaging app, and pasting it into the body of the message

Wylecial's proof of concept was tested on Chrome for Android and did not work However, we had another person open the link in Safari on her iPhone, click the "Share with Friends!" button and had her send the link to our Gmail account We received a SQLite database of her browsing history

We had another person test Wylecial's proof-of-concept on a Mac However, the "Share it with friends!" button only seemed to work with Apple applications Since she did not have Mail set up to handle email (she uses Gmail and Outlook), we could not go any further, but we could have if Mail had been set up

Web Share allows browser users to easily send browser links to friends via email or instant messaging, but according to Wylecial, Safari's implementation of Web Share does not check to see if anything has been added to the link He says that it does not

Wylecial found that if a local file path is added to the URL, Safari's Web Share feature copies the file as well as the URL and sends both to the Web Share recipient

Web Share is an open source feature available in all browsers, but according to the latest documentation, the desktop implementation is currently only available in Safari for Mac On mobile devices, Web Share is supported by Chrome, Opera, and Samsung Internet on Android, and Safari on iOS

Tom'sGuide has reached out to Apple for comment and will update this article if we hear back