It has been found that by simply visiting a website, it is possible for the attackers to secretly access your Apple iPhone or MacBook device’s camera, microphone, or location.
The website need not have to be malicious one, but can be legitimate sites unknowingly loading malicious ads as well, using a Safari browser.
Ethical hacker Ryan Pickren practically demonstrated the hack, who was rewarded with a bug bounty of $75,000 by the tech giant. He had helped the company patch a total of seven new vulnerabilities before anyone could exploit it in the wild.
The patches were released in a series of updates to Safari spanning versions 13.0.5 (released January 28, 2020) and Safari 13.1 (published March 24, 2020).
According to the researcher, if the malicious website wanted camera access, it had to just pretend as a trusted video-conferencing website such as Skype or Zoom.
Three of the Safari flaws reported when clubbed together could let malicious sites to imitate any legit site a victim trusts and access camera or microphone by misusing the permissions that were granted by the victim to the trusted domain only.
Safari browser grants access to permissions such as camera, microphone, location, and more according to the website. So, it becomes easy for certain websites to access the camera without the need of the user’s permission every time when the app is launched.
But in iOS, when a third-party app needs user’s explicit consent to access the camera, Safari can access the camera or the photo gallery without any permission prompts.
This improper access is done by leveraging an exploit chain that stringed together multiple flaws in the way the browser parsed URL schemes and handled the security settings on a per-website basis. This method only works with websites that are currently open.
In other words, Safari did not check whether the websites follow the same-origin policy, thereby granting access to a different site that shouldn’t have obtained permissions. So, a website and its malicious counterpart end up having the same permissions.
The research stated that even plaintext passwords can be stolen this way as Safari uses the same method to detect websites on which password auto-fill needs to be applied.
Also, auto-download preventions can be bypassed by opening a trusted site as a pop-up, and then using it to download a malicious file.
The seven zero-day vulnerabilities found in Safari are
CVE-2020-3852: A URL scheme may be incorrectly ignored when determining multimedia permission for a website
CVE-2020-3864: A DOM object context may not have had a unique security origin
CVE-2020-3865: A top-level DOM object context may have incorrectly been considered secure
CVE-2020-3885: A file URL may be incorrectly processed
CVE-2020-3887: A download’s origin may be incorrectly associated
CVE-2020-9784: A malicious iframe may use another website’s download settings
CVE-2020-9787: A URL scheme containing dash (-) and period (.) adjacent to each other is incorrectly ignored when determining multimedia permission for a website
All the Safari users are highly recommended to keep the browser up-to-date and make sure that the websites must be granted access to only those settings which are necessary for them to function.