Security vulnerabilities in Apple iCloud and Safari 15 could have enabled attackers to compromise macOS webcams and, thereafter, victims’ online account.
Ryan Pickren, an independent security researcher, netted an eye-watering $100,500 bug bounty for the universal cross-site scripting (uXSS) exploit and a total of four flaws.
uXSS Safari webcam hack
While the camera hack required user interaction, the potential impact of a successful compromise was egregious.
“While this bug does require the victim to click ‘open’ on a popup from my website, it results in more than just multimedia permission hijacking,” said Pickren in a technical write-up.
The exploit, he added, gives “the attacker full access to every website ever visited by the victim. That means in addition to turning on your camera, my bug can also hack your iCloud, PayPal, Facebook, Gmail, etc. accounts too.”
The researcher demonstrated a scenario in which a victim agrees to view a folder containing PNG images and a hidden webarchive file that injects code into icloud.com that exfiltrates their iOS camera roll.
A paper (PDF) published by Google Project Zero has described uXSS bugs, which can imperil multiple online accounts because they exploit browser vulnerabilities, as “almost as valuable as a remote code execution (RCE) exploit with the sandbox escape”.
‘Subtle, but wildly impactful’
As suggested by the authors of penetration testing application Metasploit back in 2013, Pickren used webarchive files as the trojan horse for uXSS.
Safari’s alternative to HTML for saving websites locally, webarchive files specify the web origin in which the content should be rendered.
Pickren circumvented macOS Gatekeeper’s block on users opening webarchive files directly by opening the files indirectly via an approved app, Safari. The researcher discovered that the .url shortcut filetype would launch Safari and instruct the browser to open the file.
“A subtle, but wildly impactful, design flaw” in ShareBear, a backend application for sharing files via iCloud, meant an attacker could surreptitiously swap a benign file with a malicious file after it had been shared with and downloaded by a victim.
The victim would receive no notification of this file swap.
“In essence, the victim has given the attacker permission to plant a polymorphic file onto their machine and the permission to remotely launch it at any moment,” said Pickren.
The researcher fashioned the exploit after successfully performing a similar trick on Safari v14.1.1, but it soon transpired that beta Safari v15 was inadvertently impervious due to an unrelated code refactor.
He also managed to steal local files by circumventing sandbox restrictions, as well as unearthing a popup-blocker bypass and iframe sandbox escape.
Pickren reported the bugs to Apple in July 2021. They were addressed recently in macOS Monterey 12.0.1 that has resulted in ShareBear now revealing (rather than launching) files, and by preventing WebKit from opening quarantined files in Safari 15.
Pickren soon renewed his interest in Apple webcams and once again compromised iOS and macOS cameras last year, this time via a Safari bug chain that leveraged Skype’s camera permission.
You may also enjoy reading, The largest DDoS to date, Microsoft mitigates a 3.47 Tbps DDoS attack
Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.