The ethical hacker Ryan Pickren demonstrated that it is possible to hack Apple iPhone or MacBook users by simply tricking them into visiting a website with the Safari browser.
Pickren reported seven vulnerabilities to Apple that rewarded him with a $75,000 bounty.
Turns out merely visiting a website — not just malicious but also legitimate sites unknowingly loading malicious ads as well — using Safari browser could have let remote attackers secretly access your device’s camera, microphone, or location, and in some cases, saved passwords as well.
“Some quick research shows that Safari keeps track of permission settings on a per-website basis to let websites access sensitive content such as GPS location or camera “without always asking for permission.” Basically, you can allow Skype to access your camera whenever it wants because you trust Skype. You can see which websites you currently trust in Safari > Preferences > Websites.” wrote the expert.
The expert demonstrated that chaining three of the Safari flaws he discovered it was possible to allow malicious sites to impersonate any legit site that was trusted by the victims. This means that an attacker exploiting the three flaws could have allowed accessing the camera or microphone by abusing the permissions granted by the victim to the trusted domain only.
The hack is possible because the Safari browser grants access to specific permissions (i.e. camera, microphone, location) to each individual website. If a website is authorized to access to the camera and the microphone, such as Skype or Zoom, attackers could impersonate them to access to the same privileges.
“But there is an exception to this rule. Apple’s own apps get camera access for free. So Mobile Safari can technically access the camera without asking.” continues the experts. “Furthermore, new web technologies such as the MediaDevices Web API (commonly used in WebRTC transmissions) allow websites to utilize Safari’s permission to access the camera directly. Great for web-based video conferencing apps such as Skype or Zoom.”
The expert noticed that Safari failed to use origins to keep track of your “currently open websites” granting access to a different site that shouldn’t have obtained permissions. This could have allowed granting access to a malicious website the same permissions of a legitimate one.
“The page actually accepted this URI as valid and reloaded the same content. Which means I just changed the document
Technical details about the hack demonstrated by the researchers are included in his post.
Apple users should keep their browsers up-to-date.
(SecurityAffairs – hacking, Apple iphone)