Apple has recently addressed some serious security flaws affecting iOS and Mac devices. Among these, three vulnerabilities could allow hijacking an Apple devices’ webcam when exploited together. Apple paid a hefty bounty to the researcher for finding these bugs.
Vulnerabilities Allowing Webcam Hijacking In Apple Devices
Security researcher, Ryan Pickren, found numerous serious vulnerabilities targeting Apple devices. Specifically, he found seven different zero-day bugs in Safari browser (CVE-2020-3852, CVE-2020-3864, CVE-2020-3865, CVE-2020-3885, CVE-2020-3887, CVE-2020-9784, & CVE-2020-9787). Exploiting three of these bugs together could allow webcam hijacking on an Apple device by an adversary.
In brief, these bugs could allow an attacker to impersonate a trusted website on the browser to which the user may have permitted to access the camera. The flaws existed in the Safari browser’s way of parsing URIs, managing web origins, and initializing secure contexts.
According to the researcher,
If a malicious website strung these issues together, it could use JavaScript to directly access the victim’s webcam without asking for permission. Any JavaScript code with the ability to create a popup (such as a standalone website, embedded ad banner, or browser extension) could launch this attack.
In the PoC of the exploit, the researcher could trick the browser to believe a malicious website as the trusted Skype site.
Details of the exploit are available in his blog post.
Apple Paid $75K Bounty For The Bugs
Upon finding these bugs, the researcher prompted Apple officials regarding the flaws. Consequently, Apple patched the bugs with the release of iOS 13.4 and Safari 13.1.
In addition, Apple also acknowledged Pickren’s efforts with a bug bounty of $75,000. His report fell under the exploit category “Network Attack without User Interaction: Zero-Click Unauthorized Access to Sensitive Data”.
Since the updates are out with patches, users must ensure updating their devices to avoid any exploit. Additionally good practice dictates that users should always set the permission to access the camera, microphone, and other sensitive components to “Ask first”.
Let us know your thoughts in the comments.