Apple pays out $100k bounty for Safari webcam hack that imperilled victims’ online accounts

Security vulnerabilities in Apple iCloud and Safari 15 could have enabled attackers to compromise macOS webcams and, thereafter, victims’ online account.

Ryan Pickren, an independent security researcher, netted an eye-watering $100,500 bug bounty for the universal cross-site scripting (uXSS) exploit and a total of four flaws.

uXSS Safari webcam hack

While the camera hack required user interaction, the potential impact of a successful compromise was egregious.

“While this bug does require the victim to click ‘open’ on a popup from my website, it results in more than just multimedia permission hijacking,” said Pickren in a technical write-up.

The exploit, he added, gives “the attacker full access to every website ever visited by the victim. That means in addition to turning on your camera, my bug can also hack your iCloud, PayPal, Facebook, Gmail, etc. accounts too.”

The researcher demonstrated a scenario in which a victim agrees to view a folder containing PNG images and a hidden webarchive file that injects code into icloud.com that exfiltrates their iOS camera roll.

paper (PDF) published by Google Project Zero has described uXSS bugs, which can imperil multiple online accounts because they exploit browser vulnerabilities, as “almost as valuable as a remote code execution (RCE) exploit with the sandbox escape”.

‘Subtle, but wildly impactful’

As suggested by the authors of penetration testing application Metasploit back in 2013, Pickren used webarchive files as the trojan horse for uXSS.

Safari’s alternative to HTML for saving websites locally, webarchive files specify the web origin in which the content should be rendered.

Pickren circumvented macOS Gatekeeper’s block on users opening webarchive files directly by opening the files indirectly via an approved app, Safari. The researcher discovered that the .url shortcut filetype would launch Safari and instruct the browser to open the file.

Recommended:  500M Avira Antivirus Users Introduced to Cryptomining

“A subtle, but wildly impactful, design flaw” in ShareBear, a backend application for sharing files via iCloud, meant an attacker could surreptitiously swap a benign file with a malicious file after it had been shared with and downloaded by a victim.

The victim would receive no notification of this file swap.

“In essence, the victim has given the attacker permission to plant a polymorphic file onto their machine and the permission to remotely launch it at any moment,” said Pickren.

The researcher fashioned the exploit after successfully performing a similar trick on Safari v14.1.1, but it soon transpired that beta Safari v15 was inadvertently impervious due to an unrelated code refactor.

He also managed to steal local files by circumventing sandbox restrictions, as well as unearthing a popup-blocker bypass and iframe sandbox escape.

Remediation

Pickren reported the bugs to Apple in July 2021. They were addressed recently in macOS Monterey 12.0.1 that has resulted in ShareBear now revealing (rather than launching) files, and by preventing WebKit from opening quarantined files in Safari 15.

The $100,000 reward dwarfs the $75,000 payout Pickren revealed in 2020 for a one-click JavaScript-to-webcam access exploit that worked on iPhones, iPads, and macOS.

Pickren soon renewed his interest in Apple webcams and once again compromised iOS and macOS cameras last year, this time via a Safari bug chain that leveraged Skype’s camera permission.

You may also enjoy reading, The largest DDoS to date, Microsoft mitigates a 3.47 Tbps DDoS attack

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Recommended:  Log4Shell flaw: Still being used for crypto mining, botnet building... and Rickrolls

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
RiSec.n0tst3
Connect
Share the word, let's increase Cybersecurity Awareness as we know it

Leave a Comment

Your email address will not be published. Required fields are marked *

RiSec Captcha + 26 = 35