A security flaw that allowed malicious hackers to access Mac, iPhone, and iPad cameras has earned the researcher who discovered him a $ 75,000 bounty.
In articles published here and here, researcher Ryan Pickren said he discovered seven vulnerabilities in Safari and its webkit browser engine that allowed malicious websites to turn on Macs, iPhones, and iPads cameras when they were chained together. Pickren has reported the bugs privately, and Apple has now addressed the vulnerabilities and paid the researcher $ 75,000 as part of the company's bug bounty program.
Apple severely limits the access of third-party apps to device cameras. With Apple Apps, the restrictions are not that strict. Even then, Safari users must explicitly list the websites that are allowed to access the camera. In addition, cameras can only access these websites if they are provided in a secure context. This means that if the browser has high confidence that the page will be served via an HTTPS connection.
If Skype.com is not Skype.com
Pickren developed an exploit chain that bypassed this protection. By exploiting several vulnerabilities he discovered, the researcher was able to force Safari to treat its malicious proof-of-concept website as if it were Skype.com, which has been added to the list of trusted websites for demonstration purposes. (Skype.com doesn't really support Safari, but Pickren's exploit can fake any website, including Zoom and Google Hangouts.) The following video shows the result.
The hack in desktop format.
The hack in desktop format.
It is clear that visiting a site that exploited these errors allowed her to disguise herself like any other site. In the event that Safari trusted the fake site to access the camera, the malicious site could immediately see what was going on with the target device. The video also makes it clear that a video camera appears in the address bar as soon as access begins. Mac cameras would also turn on the green light. While warning users would know that their cameras have been activated, less experienced or watchful users may not notice.
"Simply put, the mistake has led Apple to believe that a malicious website is actually a trustworthy one," Pickren wrote. "A number of bugs were exploited when analyzing URIs through Safari, managing web origins, and initializing secure contexts."
The longer of the two posts of the Pickren, which is located here, offers a deep insight into the technical details. In an email, Pickren summarized the exploit as follows:
My malicious website used a "data url" to generate a "blob url" and then used the Location.replace () web API to navigate there. This caused Safari to accidentally give me a malformed "origin" (CVE-2020-3864). With this buggy origin, I used the window.history API to change my url to "blob: //skype.com". From there I practically removed my origins to fool Safari into being in a "safe context" (CVE-2020-3865). Since Safari previously ignored the URL schemes when applying website permissions (CVE-2020-3852), I was able to use all the permissions the victim gave to real skype.com.
While the attack chain exploited the vulnerabilities identified as CVE-2020-3864, CVE-2020-3865, and CVE-2020-3852, Pickren discovered four other bugs that are indexed as CVE-2020-3885, CVE-2020-3887, CVE – 2020-9784 & CVE-2020-9787. Apple fixed most of them in late January (see notes here and here and patched the rest of last month).