Security researcher discovers vulnerabilities in iOS and macOS that could be exploited to hack webcams

Angled Apple logo

After discovering a no fewer than seven security vulnerabilities in Safari for iOS and macOS, a researcher has received a $75,000 bug bounty pay out from Apple.

Ryan Pickren, a former Amazon Web Services (AWS) security engineer, found a series of security flaws in Apple's web browser, some of which could be exploited to hijack the camera of a Mac or iPhone to spy on users. The webcam hacking technique combined a total of three zero-day bugs.

See also:

Pickren found that it was possible to take advantage of the fact that while all apps require users to granted permission to access the camera and microphone, the same was not true for Apple's own apps. The vulnerability researcher explains: "The camera security model in iOS and macOS is pretty intense. In a nutshell, each app must be explicitly granted camera/microphone permission, which is handled by the OS via a standard alert box".

He goes on to say:

But there is an exception to this rule. Apple's own apps get camera access for free. So Mobile Safari can technically access the camera without asking. Furthermore, new web technologies such as the MediaDevices Web API (commonly used in WebRTC transmissions) allow websites to utilize Safari's permission to access the camera directly. Great for web-based video conferencing apps such as Skype or Zoom. But... this new web-based camera tech undermines the OS's native camera security model.

In a detailed technical write-up of his work, Pickren describes how it was possible to trick a user into visiting a malicious website which Safari would trust because of the way it parsed URIs. He explains how he found that Safari saw no difference between the domains https://example.com, https://www.exmaple.com, http://example.com and fake://example.com, and this could be exploited to deliver malicious Javascript to compromise webcams and Microphones.

As Forbes reports, the seven vulnerabilities (CVE-2020-3852, CVE-2020-3864, CVE-2020-3865, CVE-2020-3885, CVE-2020-3887, CVE-2020-9784 and CVE-2020-9787) were all responsibly disclosed to Apple and all have now been fixed. Three zero-days which could be combined into a "camera kill chain" were fixed in the Safari 13.0.5 update which was released on January 28. The remaining four vulnerabilities were regarded as being less severe, and they were fixed in Safari 13.1 which was released on March 24.

Image credit: Stockforlife / Shutterstock

© 1998-2020 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.