An ethical “white-hat” hacker exploited Apple’s own apps in December to show how a malicious website could gain unrestricted access to a user’s camera and microphone without consent using flaws that have since been patched.
Former Amazon Web Services security engineer, Ryan Pickren, discovered seven zero-day vulnerabilities in Apple’s Safari that could be used to hijack users’ cameras. The vulnerabilities exploited the way Safari parsed Uniform Resource Identifiers, managed web origins, and initialized secure contexts.
The only requirement was that the user’s camera would have had to trust a video conferencing site, like Zoom. If that criteria was met, a user could visit a site that utilized the attack chain, and a hacker could gain access to a users camera —both on iOS and macOS.
Pickren had submitted his research to the Apple Bug Bounty program and was paid $75,000 for his contribution. Apple fixed three of the security flaws —the ones that allowed for camera hijacking —in the January 28 Safari 13.0.5 update. The four remaining flaws were not fixed until the Safari 13.1 release on March 24.
“A bug like this shows why users should never feel totally confident that their camera is secure,” Pickren told Forbes, “regardless of operating system or manufacturer.”
Pickren had discovered the bug by “finding assumptions in software and violating those assumptions to see what happens.” He noted that the camera security model was difficult to crack, as Apple requires nearly every app to be granted explicit permission to the microphone and camera. This makes it far less likely that a malicious third-party app could gain access without a users express permission.
The exception to the rule, however, is Apple’s own apps, such as Safari. Pickren was able to exploit this exception to uncover the bugs. He managed to “hammer the browser with obscure corner cases” until he gained access to the camera.