2 min read

Mac webcam hijack flaw wins man $100,500 from Apple

Graham CLULEY

January 27, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Mac webcam hijack flaw wins man $100,500 from Apple

An independent security researcher has received a $100,500 bug bounty from Apple after discovering a security hole in the company's Safari browser for macOS that could allow a malicious website to hijack accounts and seize control of users' webcams.

Georgia Institute of Technology's Ryan Pickren, who is also the founder of BugPoC, uncovered a universal cross-site scripting (UXSS) flaw in Apple's Safari browser that could lead to serious security problems.

As Pickren explains in a technical blog post, the attack begins by tricking a potential victim into opening what they believe to be an innocent-looking .PNG image file.

However, by exploiting features built into Apple iCloud and Safari that are trusted by macOS, unsuspecting users can end up with a malicious file running on their Mac, rather than opening a harmless image.

The end result is that an attacker could seize control of Safari, access any accounts that the user is logged into, and even access users' microphone and webcam.

In his blog post, Pickren describes how the UXSS attack could be used by an attack to inject arbitrary code into websites. For instance, JavaScript could be injected onto a trusted video chat website like Zoom to turn on the webcam.

Of course, such an attack doesn't prevent a Mac from displaying a green "on" light beside their webcam, but you have to wonder how many people would notice.

In addition, and perhaps more conventionally, an attacker could access any files stored locally on the victim's Mac.

Pickren's discovery is ingenious, and he pieced together a variety of flaws and features of macOS to "punch a hole in the browser":

"...the bug gives the attacker full access to every website ever visited by the victim. That means in addition to turning on your camera, my bug can also hack your iCloud, PayPal, Facebook, Gmail, etc. accounts too."

The good news is that there is no indication that anyone discovered the flaw before Pickren responsibly disclosed the problems to Apple in mid-July 2021.  Security patches have now been issued for all of the vulnerabilities, preventing future exploitation.

The researcher appears to have, at least in part, built his latest webcam hijack on the foundations of a previous webcam-hijacking vulnerability he found a year ago, that netted him $75,000 from Apple.

As a student Pickren managed to earn 15 million air miles through the United airlines' bug bounty program, donating half to Georgia Tech and a further 2.5 million more to Make-A-Wish America.

tags


Author



Right now

Top posts

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

April 15, 2022

3 min read
Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

April 14, 2022

3 min read
Why and how to hide your IP address while traveling

Why and how to hide your IP address while traveling

April 13, 2022

2 min read
How Bitdefender Can Help Restore Your Privacy in the Digital Age

How Bitdefender Can Help Restore Your Privacy in the Digital Age

April 04, 2022

3 min read
How Strong is VPN Encryption?

How Strong is VPN Encryption?

February 28, 2022

3 min read
Top Three Ways Internet Users Unknowingly Help Cybercriminals

Top Three Ways Internet Users Unknowingly Help Cybercriminals

February 25, 2022

4 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Baby formula shortages in US fuel social media scams, BBB warns Baby formula shortages in US fuel social media scams, BBB warns
Alina BÎZGĂ

May 18, 2022

2 min read
Conti Ransomware Gang Threatens to Overthrow the New Government of Costa Rica Conti Ransomware Gang Threatens to Overthrow the New Government of Costa Rica
Vlad CONSTANTINESCU
1 min read
US Charges Venezuelan Cardiologist with Using, Selling Ransomware US Charges Venezuelan Cardiologist with Using, Selling Ransomware
Vlad CONSTANTINESCU
1 min read