Apple pays $100,000 bounty for Safari webcam hack that jeopardized victims’ online accounts

Gatekeeper defenses are no match for the uXSS attack

Security flaws in Apple iCloud and Safari 15 could have allowed attackers to compromise macOS webcams and, subsequently, victims’ online accounts.

Ryan Pickren, an independent security researcher, reaped a $100,500 bug bounty for the Universal Cross-Site Scripting (uXSS) exploit and a total of four flaws.

uXSS all areas

While the camera hack required user interaction, the potential impact of a successful compromise was enormous.

“While this bug forces the victim to click ‘open’ on a pop-up on my website, it results in more than just media permission hijacking,” Pickren said in a post. technical writing.

The exploit, he added, gives “the attacker full access to all websites ever visited by the victim. This means that besides turning on your camera, my bug can also hack into your iCloud, PayPal, Facebook, Gmail, etc. accounts.

RELATED Same-origin breach vulnerability in Safari 15 could leak a user’s website history and identity

The researcher demonstrated a scenario where a victim agrees to see a folder containing PNG images and a hidden webarchive file that injects code into icloud.com that exfiltrates their iOS camera roll.

A paper (PDF) published by Google Project Zero described uXSS bugs, which can jeopardize multiple online accounts because they exploit browser vulnerabilities, as “almost as valuable as a remote code execution exploit ( RCE) with the sandbox escape”.

“Subtle, but extremely impactful”

Like suggested by the authors of the Metasploit penetration testing application in 2013, Pickren used webarchive files as a Trojan for uXSS.

Safari’s alternative to HTML for saving websites locally, webarchive files specify the web origin in which content should be rendered.

Pickren bypassed macOS Gatekeeper’s block on users opening webarchive files directly by opening the files indirectly through an approved application, Safari. The researcher discovered that the .url shortcut file type would launch Safari and instruct the browser to open the file.

“A subtle, but extremely impactful design flaw” in ShareBear, an iCloud file-sharing back-end application, meant an attacker could surreptitiously swap a benign file with a malicious one after it had been shared and downloaded by a victim.

Learn about the latest Apple security news

The victim would not receive any notification of this file exchange.

“Essentially, the victim gave the attacker permission to implant a polymorphic file on his machine and permission to launch it remotely at any time,” Pickren said.

The researcher fashioned the exploit after pulling off a similar trick on Safari v14.1.1, but it soon turned out that the Safari v15 beta was inadvertently impervious due to an unrelated code refactor.

He was also successful in stealing local files bypassing sandbox restrictions, as well as digging up a pop-up blocker bypass and an iframe sandbox escape.

Remediation

Pickren reported the bugs to Apple in July 2021. They were recently fixed in macOS Monterey 12.0.1, which allowed ShareBear to reveal (rather than launch) files and prevent WebKit from opening updated files. quarantined in Safari 15.

The $100,000 reward eclipses the $75,000 payout that Pickren revealed in 2020 for a one-click JavaScript webcam access exploit that worked on iPhone, iPad, and macOS.

Pickren quickly renewed its interest in Apple webcams and again compromised iOS and macOS cameras last year, this time via a chain of Safari bugs that exploited skype’s camera permission.

YOU MIGHT ALSO LIKE PrinterLogic Vendor Addresses RCE Triple Threat Against All Connected Endpoints

Comments are closed.