Summary
Byword is a text editor for iOS and OS X that can use iCloud or Dropbox to sync documents.
Byword supports actions through X-URLs on iOS.
One of the supported action replaces a file with the value passed through the URL.
Description
The Replace file action in the affected version does not warn the user and replaces the content of the target file with text specified in the X-URL.
The attacker must know the path to the file, but considering iCloud does not have subfolders, it makes it easier to guess filenames such as "todo.txt" file or an "important.txt" file, or the attacker could have received a file created by the victim using Byword and can guess the filename from the title.
Impact
The file can be overwritten and the data could be lost permanently.
Proof of Concept
byword://replace?location=icloud&path=&name=Important.txt&text=haha
This URL would replace the content of the file "Important.txt" in the user's iCloud container for Byword with "haha". By using iframes, the attacker can embed this attack in a web page. Safari on iOS will automatically launch Byword and overwrite the file.
<iframe src="byword://replace?location=icloud&path=&name=Important.txt&text=haha"></iframe>
Response Timeline