Only a day after posting about making sure your browsers are fully patched, today I read about a currently still unpatched exploit (this is somewhat incorrect, as it has now been patched, but not released) in Safari on macOS and iOS. Until Apple release a fix, it falls to you to be aware of this and perhaps avoid the use of this feature for the time being.
Ok, so what is this then? Pawel Wylecial with Redteam.pl, has published a proof-of-concept exploit for stealing files from iOS and macOS devices. If you’d like to see it in action, they have an example page set up here. Although I wouldn’t really recommend clicking on the button since this example will not share the kitty pic, but your passwords file with the recipient, but it can really be any file available to your machine.
To be fair, you are still selecting the recipient, but how confident are you that all of your contacts are entirely safe people to send potentially sensitive data to? And it’s not as if many the sharing methods offered are particularly secure either. This may be a storm in a teacup, but I would still recommend taking care, since Pawels example is out there now and there are many creative people with malicious intent who may be able to take it much further.
As always though, stay safe and update!