A security flaw in Apple’s Safari web browser could potentially give hackers access your camera on your iPhone or laptop by impersonating familiar websites like Skype
- A security researcher discovered a flaw in Apple’s Safari browser
- It lets hackers impersonate familiar websites that have permission to the camera
- Using a minor variation on a familiar URL, Safari can be tricked into granting access to a webcam or microphone on an iPhone or Mac computer
- Apple says it fixed the bug with security updates in January and March
A security exploit in Apple’s Safari web browser could let hackers access a person’s iPhone camera or Macbook webcam.
The exploit was found by security expert Ryan Pickren, who says it involves the way Safari registers permissions for frequently visited websites.
As an example, Pickren points to Skype, which Safari will register as having general permission to access a device’s camera and microphone so it won’t have to borrow users with requests every time a person opens the site.
A security researcher discovered a major new bug in Safari that could let hackers access your iPhone camera and mic by impersonating a familiar site’s URL that user’s have already granted camera access to, such as Skype
‘Safari encourages users to save their preferences for site permissions, like whether to trust Skype with microphone and camera access,’ Pickren told Wired.
‘So what an attacker could do with this kill chain is make a malicious website that from Safari’s perspective could then turn into “Skype.”‘
‘And then the malicious site will have all the permissions that you previously granted to Skype, which means an attacker could just start taking pictures of you or turn on your microphone or even screen-share.’
Hackers specifically target a feature in Safari that includes slight variations of a familiar site’s URL in its permissions chain.
Pickren shared a more generic example of how this might work with a fictional site with the URL, https://www.example.com.
That site might use some alternate URLs for different subsites, such as http://example.com or fake://example.com.
Taking advantage of this feature, hackers could impersonate a familiar site by using a minor URL variation in what’s known as a ‘bait and switch’ attack.
Ryan Pickren, the security researcher who found the bugs, submitted them to Apple in December and was rewarded with $75,000 as part of its Bug Bounty program. The company said it fixed the security holes in two security updates in January and March
After identifying the theoretical security flaw, Pickeren decided to see if he could actually use it in practice to break into a device.
‘I just kind of hammered the browser with really weird cases until Safari got confused and gave an origin that didn’t make sense,” Pickeren said.
‘And eventually the bugs could all kind of bounce from one to the next. Part of this is that some of the bugs were really, really old flaws in the WebKit core from years ago.’
‘They probably were not as dangerous as they are now just because the stars lined up on how an attacker would use them today.’
Pickeren identified seven specific bugs and submitted them to Apple in December as part of its Bug Bounty program.
Apple verified the bugs and rewarded Pickeren with a $75,000 prize for finding them.
According to Apple, the security hole in Safari was fixed in two recent security updates released in January and March.
Devices that haven’t installed those security updates may still be vulnerable.
WHAT ARE THE PRIZES FOR THE APPLE SECURITY BOUNTY?
Apple Security Bounty is a prize program that will pay hackers and security researchers prizes for finding bugs and security flaws in iOS, iPadOS, macOS, iCloud, tvOS, and watchOS.
- $1,000,000 – Network Attack without User Interaction: Zero-Click Kernel Code Execution with Persistence and Kernel PAC Bypass
- $100,000 to $500,000 – Network Attack without User Interaction: Zero-Click Unauthorized Access to Sensitive Data
- $50,000 to $250,000 – Network Attack without User Interaction: Zero-Click Radio to Kernel with Physical Proximity
- $150,000 to $250,000 – Network Attack with User Interaction: One-Click Kernel Code Execution
- $75,000 to $150,000 – Network Attack with User Interaction: One-Click Unauthorized Access to Sensitive Data
- $250,000 – User-Installed App: CPU Side-Channel Attack
- $100,000 to $150,000 – User-Installed App: Kernel Code Execution
- $25,000 to $100,000 – User-Installed App: Unauthorized Access to Sensitive Data
- $ 100,000 to $250,000 – Physical Access to Device: User Data Extraction
- $25,000 to $100,000 – Physical Access to Device: Lock Screen Bypass
- $25,000 to $100,000 – Unauthorized iCloud Account Access