A bug in Safari's Web Share api causes the browser to access files that users would not normally have access to, such as Safari's history database.

Security researchers at Redteam.pl have discovered a potentially serious flaw in Safari.

A bug in the Web Share api used to add Share buttons to web pages can be used to share system files.

The API is normally used to make it easy for visitors to share content from the website via email or messages, save to Dropbox or similar, or other via the system's regular Share dialog.

What Redteam.pl has discovered is that the api can be used to share resources with file: // urls, ie files on the device's internal storage. Not only that - Safari accesses system files that you as a user cannot access. For example, a page might enter the share button that sends Safari's history database or stored passwords.

The bug can not be used to automatically upload or share sensitive files to anyone, so hackers must try to trick visitors. But even if the risk is low that you will be deceived in that way, the bug is serious as it breaks out of Safari's sandbox.