This article is more than 1 year old
Flaw hunter bags $75,000 off Apple after duping Safari into spying through iPhone, Mac cameras without permission
Bug that let malicious site snoop on users squashed, so make sure you're on the most recent version
Independent security researcher Ryan Pickren has revealed how a malicious website could hack Apple's Safari browser on iOS and macOS to spy on the user through the computer's camera without prompting for permission.
Pickren said Apple classified the bug as "one-click remote partial access to sensitive data," and awarded him $75,000 under the terms of its Security Bounty scheme.
Apple fixed the issues with Safari 13.1, crediting Pickren for three bug reports in the patch release notes. The three flaws mentioned by Apple are "a malicious iframe may use another website’s download settings"; "a download's origin may be incorrectly associated"; and "a file URL may be incorrectly processed". The fix is dated March 24, 2020 and the vulnerable version of Safari is 13.0.4, so if you still have that one, update it now.
Pickren is the founder of the site BugPoC, designed for hosting proof-of-concept demos of security issues.
Pickren has described his hack in a detailed walkthrough, and it makes good reading as an example of how hackers go about their research. He found flaws in rarely used specifications that browsers nevertheless have to implement in order to be compliant with other code, but which do not get the same level of attention as commonly used parts of the browser API.
Stuck inside with nothing to do? Apple fires out security fixes for iOS, macOS, wrist-puters... and something weird called iTunes for WindowsREAD MORE
The increasing capability of applications that run in the browser means that web browsers have extensive permissions which are then guarded by the browser, not the operating system. If you have given Safari permission to access the camera in order to use the likes of Skype or Zoom, then it is Safari that controls whether or not a malicious site gets those same permissions. Pickren set out to discover how to trick Safari into identifying his untrusted site as from the skype.com domain.
He discovered that the little-used file protocol, for URIs that begin file://, was not properly handled by Safari. He could load a local file and assign it a skype.com hostname, giving it the permission he sought.