Apple Addressed Critical Vulnerabilities Allowing Webcam Hijacking

Apple has recently addressed some serious security flaws affecting iOS and Mac devices. Among these, three vulnerabilities could allow hijacking an Apple devices’ webcam when exploited together. Apple paid a hefty bounty to the researcher for finding these bugs.

Vulnerabilities Allowing Webcam Hijacking In Apple Devices

Security researcher, Ryan Pickren, found numerous serious vulnerabilities targeting Apple devices. Specifically, he found seven different zero-day bugs in Safari browser (CVE-2020-3852, CVE-2020-3864, CVE-2020-3865, CVE-2020-3885, CVE-2020-3887, CVE-2020-9784, & CVE-2020-9787). Exploiting three of these bugs together could allow webcam hijacking on an Apple device by an adversary.

In brief, these bugs could allow an attacker to impersonate a trusted website on the browser to which the user may have permitted to access the camera. The flaws existed in the Safari browser’s way of parsing URIs, managing web origins, and initializing secure contexts.

According to the researcher,

If a malicious website strung these issues together, it could use JavaScript to directly access the victim’s webcam without asking for permission. Any JavaScript code with the ability to create a popup (such as a standalone website, embedded ad banner, or browser extension) could launch this attack.

In the PoC of the exploit, the researcher could trick the browser to believe a malicious website as the trusted Skype site.

Details of the exploit are available in his blog post.

Apple Paid $75K Bounty For The Bugs

Upon finding these bugs, the researcher prompted Apple officials regarding the flaws. Consequently, Apple patched the bugs with the release of iOS 13.4 and Safari 13.1.

In addition, Apple also acknowledged Pickren’s efforts with a bug bounty of $75,000. His report fell under the exploit category “Network Attack without User Interaction: Zero-Click Unauthorized Access to Sensitive Data”.

Since the updates are out with patches, users must ensure updating their devices to avoid any exploit. Additionally good practice dictates that users should always set the permission to access the camera, microphone, and other sensitive components to “Ask first”.

Let us know your thoughts in the comments.

The following two tabs change content below.

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Reference: Source link

Sr. SDET M Mehedi Zaman

Currently working as Sr. SDET at Robi Axiata Limited, a subsidiary of Axiata Group.

Leave a Reply

Your email address will not be published. Required fields are marked *