This article is more than 1 year old

Flaw hunter bags $75,000 off Apple after duping Safari into spying through iPhone, Mac cameras without permission

Bug that let malicious site snoop on users squashed, so make sure you're on the most recent version

Independent security researcher Ryan Pickren has revealed how a malicious website could hack Apple's Safari browser on iOS and macOS to spy on the user through the computer's camera without prompting for permission.

Pickren said Apple classified the bug as "one-click remote partial access to sensitive data," and awarded him $75,000 under the terms of its Security Bounty scheme.

Apple fixed the issues with Safari 13.1, crediting Pickren for three bug reports in the patch release notes. The three flaws mentioned by Apple are "a malicious iframe may use another website’s download settings"; "a download's origin may be incorrectly associated"; and "a file URL may be incorrectly processed". The fix is dated March 24, 2020 and the vulnerable version of Safari is 13.0.4, so if you still have that one, update it now.

Pickren is the founder of the site BugPoC, designed for hosting proof-of-concept demos of security issues.

Pickren has described his hack in a detailed walkthrough, and it makes good reading as an example of how hackers go about their research. He found flaws in rarely used specifications that browsers nevertheless have to implement in order to be compliant with other code, but which do not get the same level of attention as commonly used parts of the browser API.


Stuck inside with nothing to do? Apple fires out security fixes for iOS, macOS, wrist-puters... and something weird called iTunes for Windows


The increasing capability of applications that run in the browser means that web browsers have extensive permissions which are then guarded by the browser, not the operating system. If you have given Safari permission to access the camera in order to use the likes of Skype or Zoom, then it is Safari that controls whether or not a malicious site gets those same permissions. Pickren set out to discover how to trick Safari into identifying his untrusted site as from the domain.

He discovered that the little-used file protocol, for URIs that begin file://, was not properly handled by Safari. He could load a local file and assign it a hostname, giving it the permission he sought.

Abusing a local file is not enough, though; he also had to automate its download. Pickren described a further flaw in the way blob objects are handled. A bit of work with browser history and iFrames, and "we now have a sandboxed iframe with the blob:// href and arbitrary JavaScript content. A simple popup is the final step to glory," said Pickren – glory being in this case a payout for him, and a reminder to the rest of us that giving the web browser super powers is not without risk. ®

More about


Send us news

Other stories you might like