5 comments

[ 3.3 ms ] story [ 11.7 ms ] thread
Is there a use-case where this functionality is useful and non-malicious?

It seems that the protection against this attack is being able to recognize that the file that's attached isn't the one that's intended but I think it's a mistake for the local filename and any fs metadata to be preserved when sharing by default. Sharing a file should mean sharing only the content of the that file.

"Apple replied asking not to publish the details as they plan to address the issue in the Spring 2021 security update"

Besides the fact that I'm always torn if vulnerabilities should be published if the vendor has committed to fixing them: I don't quite understand why a fix can't make it into the next big release that's around the corner (macOS Big Sur and iOS 14). Do large vendors really have such long development pipelines that changing anything is impossible for months? Or do they just have thousands of similarly serious issues and need to prioritize?

If this an accurate representation of what Apple said, they have a security update planned for ~6 months from now. What else are we needlessly vulnerable to until then?

Signed, an iOS convert of 2 months :/