Apple Permissions Vulnerability Effects Multiple Apps
DISCLOSURE: What is disclosed here has already been disclosed to Apple. Apple deemed it not as a security vulnerability and promptly forwarded it to their feedback team; even though it can be used to literally forward people to suspicious links. You can ready my publication on HackerOne: Field Day With Protocol Handlers where a similar vulnerability was found in the Brave browser - by yours truly - to which was not only paid out, but deemed a security vulnerability.
The "applenews://" URL scheme allows for malicious URLs to be executed without any sort of user permission before execution. For example, going to "webcal://" will have a warning that will say "Do you want to allow this page to open ‘Calendar’?"
This is quite typical across browsers such as Firefox, Opera, Brave and others, but with the "applenews://" URL scheme with Safari a pop-up isn’t present and moves forward in opening the News app. It is present when using Firefox or any other browser though.
While this might not be dangerous, seeing that Apple News simply displays news articles, but there is an issue in the News app that allows the default browser to open any given URL thrown at it.
For example, visiting 'applenews://dudetechitout.com//' in Safari will launch the News app to only open the default browser to https://dudetechitout.com. This not only bypasses all security measures, but it can even allow XSS via third-party and even allow for payload delivery.
I thought that perhaps it was due to it being on localhost, but placing a simple HTML file onto a hosting server with the code being "Click me" still produced the same result upon clicking the link.
>> Are you on a Mac in Safari? Try it yourself: Click Me
Effects on Apple’s Mail Client
I was able to successfully send myself an e-mail with ‘applenews://dudetechitout.com//’ as a link and upon clicking the link it did open the News app to only open Dude Tech it Out in my default browser. Again, there wasn’t any sort of pop-up or anything for-warning me from proceeding.
Due to it being served from a protocol, instead of a standard link, it can bypass antivirus and e-mail filters resulting in a higher probability of delivery.
Some interesting things happened while messing with this, such as visiting ‘applenews://apple.com//’ does bring up an article and upon clicking the share icon, navigating to Safari, it will open “https://apple.com”. I’m assuming there is an issue in the News app that is allowing this action to take place. Which more than likely with enough time could result in further exploitation.
Using Safari to Showcase Vulnerability
Using Apple Mail to Showcase Vulnerability
To essentially recap:
Engage with URL scheme ‘applenews://DOMAINTOGOTO.COM//’ -> Opens News app -> Opens given URL DOMAINTOGOTO.COM in default browser.
- There is no warning in Safari on opening the URL scheme ‘applenews://’
- The URL scheme ‘applenews://’ allows the opening of any URL by the default browser by simply having two “/” placed in the scheme.
- Third party XSS vulnerabilities possible.
- Effective payload delivery possible.
That's it Folks!
Hope you enjoyed the find as much as I enjoyed finding it! I'm sure with enough attention this can become a DOM exploit resulting in a zero day to which I say give credit where credit's due!