2 min read

Mac webcam hijack flaw wins man $100,500 from Apple

Graham CLULEY

January 27, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Mac webcam hijack flaw wins man $100,500 from Apple

An independent security researcher has received a $100,500 bug bounty from Apple after discovering a security hole in the company's Safari browser for macOS that could allow a malicious website to hijack accounts and seize control of users' webcams.

Georgia Institute of Technology's Ryan Pickren, who is also the founder of BugPoC, uncovered a universal cross-site scripting (UXSS) flaw in Apple's Safari browser that could lead to serious security problems.

As Pickren explains in a technical blog post, the attack begins by tricking a potential victim into opening what they believe to be an innocent-looking .PNG image file.

However, by exploiting features built into Apple iCloud and Safari that are trusted by macOS, unsuspecting users can end up with a malicious file running on their Mac, rather than opening a harmless image.

The end result is that an attacker could seize control of Safari, access any accounts that the user is logged into, and even access users' microphone and webcam.

In his blog post, Pickren describes how the UXSS attack could be used by an attack to inject arbitrary code into websites. For instance, JavaScript could be injected onto a trusted video chat website like Zoom to turn on the webcam.

Of course, such an attack doesn't prevent a Mac from displaying a green "on" light beside their webcam, but you have to wonder how many people would notice.

In addition, and perhaps more conventionally, an attacker could access any files stored locally on the victim's Mac.

Pickren's discovery is ingenious, and he pieced together a variety of flaws and features of macOS to "punch a hole in the browser":

"...the bug gives the attacker full access to every website ever visited by the victim. That means in addition to turning on your camera, my bug can also hack your iCloud, PayPal, Facebook, Gmail, etc. accounts too."

The good news is that there is no indication that anyone discovered the flaw before Pickren responsibly disclosed the problems to Apple in mid-July 2021.  Security patches have now been issued for all of the vulnerabilities, preventing future exploitation.

The researcher appears to have, at least in part, built his latest webcam hijack on the foundations of a previous webcam-hijacking vulnerability he found a year ago, that netted him $75,000 from Apple.

As a student Pickren managed to earn 15 million air miles through the United airlines' bug bounty program, donating half to Georgia Tech and a further 2.5 million more to Make-A-Wish America.

tags


Author



Right now

Top posts

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

TAP Air Portugal confirms hack, as Ragnar Locker gang leaks data - including that of Portuguese president TAP Air Portugal confirms hack, as Ragnar Locker gang leaks data - including that of Portuguese president
Graham CLULEY

September 26, 2022

2 min read
Ukrainian Security Service Dismantles Cybercriminal Group Operating under Kremlin Orders Ukrainian Security Service Dismantles Cybercriminal Group Operating under Kremlin Orders
Filip TRUȚĂ

September 26, 2022

2 min read
"Fake crypto millionaire" charged with alleged $1.7M cryptomining scam "Fake crypto millionaire" charged with alleged $1.7M cryptomining scam
Graham CLULEY

September 23, 2022

2 min read