New iPhone and Mac-book camera hack
If you are using iPhone, MacBook or Apple, here is a piece of alarming news for you
Turns out that merely visiting a website — not just malicious one also the legitimate sites unknowingly loading malicious ads on them can give access to your device’s location, microphone, your camera, and in some cases, saved passwords as well just using your safari browser.
Apple has recently paid a 75,000$ bounty reward to an ethical hacker, Ryan Pickren, who has demonstrated the hack and helped apple to patch a total of seven new vulnerabilities before even any attacker could take advantage of them.
The fixes were issued in an update series of Safari browser versions 13.0.5 (released January 28, 2020) and Safari 13.1 (published March 24, 2020).
If the malicious website wanted your camera access, all the site had to do was pretend as a trusted video-conferencing website like as Skype or Zoom”.
When chained together, these reported Safari flaws could have allowed an untrusted site to be act as any legit site a victim trusts and access their camera or microphone by just abusing the permissions, that were already granted by the victim to the trusted domains only.
An Exploit Chain to Abuse Safari browser’s Per-Site Permissions
Safari browser grants access to user’s location, microphone, camera, and more on basis of per website. This makes it easy for an individual website, for example it gives Skype permission to access the camera when the app is launched without asking for permission every time.
But here is an exception to this rule on iOS. While any third-party app must require user’s permission to access the camera, Safari can access the camera or the photo gallery without any permission prompts.
Here an attacker can use an exploit chain that combined multiple flaws in the way that the browser parsed URL schemes, and handled the security settings on a per-website basis. This method works only with websites that are currently open.
Even Safari failed to check if the websites follow the same-origin policy or not, thereby granting access to a different site that shouldn’t have obtained those permissions in the first place. So, a website such as “https://example.com” and its malicious counterpart “fake://example.com” could end up having the same permissions.
The research found that even our plaintext passwords can be stolen this way as Safari uses them to the websites on which password auto-fill needs to be applied.
Furthermore, auto-download prevention can be bypassed by just opening a trusted site as a pop-up, and subsequently using it to download a malicious file.
Here is the CVE list of Zero-day vulnerability:
CVE-2020-3852: A URL scheme may be incorrectly ignored when determining multimedia permission for a website
CVE-2020-3864: A DOM object context may not have had a unique security origin
CVE-2020-3865: A top-level DOM object context may have incorrectly been considered secure
CVE-2020-3885: A file URL may be incorrectly processed
CVE-2020-3887: A download’s origin may be incorrectly associated
CVE-2020-9784: A malicious iframe may use another website’s download settings
CVE-2020-9787: A URL scheme containing dash (-) and period (.) adjacent to each other is incorrectly ignored when determining multimedia permission for a website.
So, If you are a Safari user, it’s highly recommended that you keep you browser up-to-date and ensure websites are granted access to only those settings which are essential for them to function.