Apple paid $ 75,000 to bug researcher Ryan Pickren for the bug bounty program for vulnerabilities in Safari, which made it possible to access someone else’s webcam on Mac, iPhone, and iPad simply by luring a person to a specific site.
Altogether Picren discovered seven vulnerabilities in the Apple browser and the Webkit browser engine (CVE-2020-3852, CVE-2020-3864, CVE-2020-3865, CVE-2020-3885, CVE-2020-3887, CVE-2020-9784, CVE-2020-9787) , three of which can be chained together and used to track users through the camera and microphone on an iPhone, iPad or Mac. For such an attack, just a little is required: for the victim to enter a malicious site. No other interaction is required, and a malicious site can pretend to be a popular legitimate resource and abuse the permissions that the victim would grant only to a trusted domain.
“If a malicious site needs to access the camera, all it needs is to disguise itself as a reliable site for video conferencing, such as Skype or Zoom,” the researcher notes.
Picren explains that Safari creates access to specific permissions (such as camera, microphone, location, and so on) for each individual site. This allows individual sites, such as the official Skype site, to access the camera without asking for user permission at each launch.
In iOS, there are exceptions to this rule: if third-party applications must require the explicit consent of the user to access the camera, then Safari can access the camera or photo gallery without any permissions.
Exploitation of found problems becomes possible due to the way the browser URL scheme parsing and processes the security settings for each site. In this case, the researcher’s method works only with sites already open in the browser.
Even worse, the study showed that unencrypted passwords can be stolen in the same way, since Safari uses the same approach to detect sites that require automatic password completion.
PoC exploits and a demonstration of the attacks described are available on the specialist blog. One such example can be seen below.