The problem, reported by joev (Joe Vennix, a software engineer with Rapid7) on Rapid7’s Metasploit blog, lies in Safari’s webarchive format which saves all of a web page’s resources – such as images, scripts and stylesheets – into a single file “that allows us to execute script in the context of any domain.” For the vulnerability to be exploited, writes Vennix, “an attacker must somehow deliver the webarchive file to the victim and have the victim manually open it” – a classic social engineering task of the type successfully achieved every day.
The ability to steal cookies can be witnessed by visiting any website (that uses cookies) and using File/Save as... to preserve the webarchive locally. Via a text editor, a single line of code (“<script>alert(document.cookie)</script>” in base64) is inserted – and the website's cookies pop up in an alert box. “Using this same approach,” says the author, “an attacker can send you crafted webarchives that, upon being opened by the user, will send cookies and saved passwords back to the attacker.”
Unfortunately, he adds, “Apple has labeled this a ‘wontfix’ since the webarchives must be downloaded and manually opened by the client. This is a potentially dangerous decision...” The only defense is the browser’s redirect protection, “which has been bypassed many times in the past.”
More specifically, Tod Beardsley, the Metasploit engineering manager, told Infosecurity that, "Rapid7 alerted Apple and their response was 'Web Archives were designed for local storage of web pages saved from a remote origin. The feature described in this report of being able to specify arbitrary origins for sub resources in the archive is a known limitation of this design. Web archives are not intended to be used as an interchange format for moving content between systems, but for storing a point-in-time snapshot of a previously-visited page. Opening web archives that were downloaded from the Internet will cause the user to receive a warning message indicating that opening such files may harm his/her computer. In the event that the researcher has discovered a means of bypassing this functionality, we're very interested in hearing of it so we can address that issue.'"
Vennix lists five potential attack vectors. Steal the user’s cookies as above. Steal CSRF tokens using an Ajax fetch. Steal local files. This is a bit more complex because, “unless we know the user’s account name we will not be able to access the user’s home directory.” But, he adds, “this is easy to work around by fetching and parsing a few known system logs... and the attacker can... even ‘crawl’ for sensitive user files.”
The fourth attack is to steal the browser’s saved passwords, using an iFrame to send the user to a false login page. “After waiting a moment for Safari's password autofill to kick in, the script then reads the values of all the input fields in the DOM and sends it back to the attacker.”
Finally, Vennix suggests that the vulnerability could be used to inject javascript malware such as a keylogger. “In a nightmare scenario, the user could be typing emails into a ‘bugged’ webmail, social media, or chat application for years before either 1) he clears his cache, or 2) the cached version in his browser is expired.”
The problem with this vulnerability is that it isn’t a coding error but part of the design of Safari affecting both OSX and Windows; and it doesn’t look as if Apple will do anything about it. As such, there is no immediate remedy. Since Vennix has added the methodology to Metasploit, it could be used in anger any time now. The only workaround is to avoid downloading, or being socially engineered into downloading and opening, Safari webarchive files that you didn't create yourself.