New Safari bug could have given hackers access to your webcam

Security researcher awarded $100,500 for finding a design flaw in Safari

New Safari bug could have given hackers access to your webcamThe newly discovered bug could have let attackers access your webcam and microphone

In 2020, researcher Ryan Pickren received $75,000 from Apple for several Safari vulnerabilities that could have been exploited to hack the camera and microphone of iOS and macOS devices. Exploitation required tricking the targeted user into visiting a malicious website. In 2021, he continued looking at the security of Apple and identified another exploit chain that could have an even bigger impact. Pickren wrote in his blog:[1]

While this bug does require the victim to click “open” on a popup from my website, it results in more than just multimedia permission hijacking. This time, the bug gives the attacker full access to every website ever visited by the victim. That means in addition to turning on your camera, my bug can also hack your iCloud, PayPal, Facebook, Gmail, etc. accounts too.

His research resulted in 4 zero-day bugs[2] (CVE-2021-30861, CVE-2021-30975, and two considered to be design flaws). The hack works by tricking the victim via ShareBear into allowing the attacker to plant a file that they could later execute without needing any user input. The planted file did not even have to be malicious – the attacker could later change the file’s content and extension without the victim’s knowledge.

The three-stage process

The hack was broken down into three steps:

  1. Staging the attack – trick the victim into giving the threat actor permission to plant the polymorphic file
  2. Mounting Disk Image – turn puppies.png into evil.dmg and launch it
  3. Launching URL file – turn evil.dmg into evil.url and launch it

In essence, the victim could agree to view a PNG file, and the next day it could be modified by the attacker to an executable binary that can be automatically launched whenever he wants. The hacker could modify the file on his machine, and ShareBear would automatically update it on the victim's machine.

Gatekeeper[3] prevented the cybersecurity student from running his own app. However, he used a fileloc to point to a local app (a technique known as Arbitrary File Execution) which was a great example of how even with macOS Gatekeeper enabled, an attacker could trick approved apps into performing malicious tasks.

Not everyone is happy with Apple's Security Bounty program

In interviews with more than two dozen security researchers, The Washington Post[4] collected a number of complaints – Apple does not rush to fix the bugs and does not always pay out what is owed. Pickren submitted the bugs to Apple in mid-July 2021, and they patched all issues in early 2022. Some people think that Apple's response is relatively slow, considering the impact such flaws could have on the users.

Apple has not commented on the bug, and it is unknown if it has been actively exploited. Even though Apple has paid Pickren $100,500 from its bug bounty program,[5] many security researchers are not happy. In 2020, Apple paid out $3.7 million, about half of the $6.7 million that Google paid and far less than the $13.6 million that Microsoft paid.

Apple's bug bounty program can award up to $1 million, but the $100,500 payout to Ryan Pickren is thought to be the highest amount ever paid. Some have also noticed that while other companies like Facebook, Microsoft, and Google give the spotlight to security researchers that find major bugs, hold conferences and provide resources to encourage participation in their bug bounty programs, Apple seems to want to sweep everything under the rug.

Apple's reluctance to be more transparent with security researchers has discouraged some of them from providing discovered flaws. Certain specialists have even chosen to sell their research to customers like government agencies or companies that offer hacking services. Many seem to be confused by Apple's strategy but hope that with the new leader put in place for the program in 2021, they will start seeing improvements.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions