Hackers found a way to take control of a Mac or iPhone’s microphones and cameras by exploiting Safari browser bugs. The problem stems from permissions Safari asks users to grant to certain websites, Ryan Pickren, the security researcher who disclosed the flaw to Apple, explained to Wired.
Best video conferencing apps and softwareWork from home essentials for Coronavirus and beyondMacBook Air 2020 review
Using a malicious link, attackers could trick users into opening a website that would disguise itself as one that was already granted microphone and camera permissions. The flawed Safari browser isn’t smart enough to know it was a fake, so the browser would hand over mic and camera access to the malicious site and give bad actors the ability to spy on you. The reason Safari couldn’t tell a fake site from a real one has to do with how the browser treats URL variations – https://www.example.com, http://example.com, and fake://example.com – as part of the same website. “I just kind of hammered the browser with really weird cases until Safari got confused and gave an origin that didn’t make sense,” Pickren told Wired. “And eventually the bugs could all kind of bounce from one to the next. Part of this is that some of the bugs were really, really old flaws in the WebKit core from years ago.” Apple fortunately patched these vulnerabilities after Pickren brought them to the company’s attention. Pickren told Apple about seven vulnerabilities in mid-December and they were validated the next day. Patches were released in January and March updates and Pickren was rewarded a cool $75,000 as part of Apple’s bug bounty program. Apple is fortunate that Pickren disclosed these problems when he did. If it were any later, the flaws might have surfaced at a time when more people are working from home than ever before. The global workforce’s reliance on video conferencing apps that need access to your mic and camera has skyrocketed during the coronavirus pandemic. By patching those issues early, Apple may have dodged the type of security nightmare Zoom currently finds itself in.