2 min read

Mac webcam hijack flaw wins man $100,500 from Apple

Graham CLULEY

January 27, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Mac webcam hijack flaw wins man $100,500 from Apple

An independent security researcher has received a $100,500 bug bounty from Apple after discovering a security hole in the company's Safari browser for macOS that could allow a malicious website to hijack accounts and seize control of users' webcams.

Georgia Institute of Technology's Ryan Pickren, who is also the founder of BugPoC, uncovered a universal cross-site scripting (UXSS) flaw in Apple's Safari browser that could lead to serious security problems.

As Pickren explains in a technical blog post, the attack begins by tricking a potential victim into opening what they believe to be an innocent-looking .PNG image file.

However, by exploiting features built into Apple iCloud and Safari that are trusted by macOS, unsuspecting users can end up with a malicious file running on their Mac, rather than opening a harmless image.

The end result is that an attacker could seize control of Safari, access any accounts that the user is logged into, and even access users' microphone and webcam.

In his blog post, Pickren describes how the UXSS attack could be used by an attack to inject arbitrary code into websites. For instance, JavaScript could be injected onto a trusted video chat website like Zoom to turn on the webcam.

Of course, such an attack doesn't prevent a Mac from displaying a green "on" light beside their webcam, but you have to wonder how many people would notice.

In addition, and perhaps more conventionally, an attacker could access any files stored locally on the victim's Mac.

Pickren's discovery is ingenious, and he pieced together a variety of flaws and features of macOS to "punch a hole in the browser":

"...the bug gives the attacker full access to every website ever visited by the victim. That means in addition to turning on your camera, my bug can also hack your iCloud, PayPal, Facebook, Gmail, etc. accounts too."

The good news is that there is no indication that anyone discovered the flaw before Pickren responsibly disclosed the problems to Apple in mid-July 2021.  Security patches have now been issued for all of the vulnerabilities, preventing future exploitation.

The researcher appears to have, at least in part, built his latest webcam hijack on the foundations of a previous webcam-hijacking vulnerability he found a year ago, that netted him $75,000 from Apple.

As a student Pickren managed to earn 15 million air miles through the United airlines' bug bounty program, donating half to Georgia Tech and a further 2.5 million more to Make-A-Wish America.

tags


Author



Right now

Top posts

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

January 26, 2023

2 min read
Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

January 19, 2023

4 min read
Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

New Chromebook Exploit Lets Users Unenroll Managed Devices New Chromebook Exploit Lets Users Unenroll Managed Devices
Vlad CONSTANTINESCU

February 02, 2023

1 min read
BBB Warns Social Security Beneficiaries of Cost of Living Adjustment Scams BBB Warns Social Security Beneficiaries of Cost of Living Adjustment Scams
Alina BÎZGĂ

February 01, 2023

2 min read
Planet Ice hacked! 240,000 skating fans' details stolen Planet Ice hacked! 240,000 skating fans' details stolen
Graham CLULEY

January 31, 2023

2 min read