IPhone: I discovered a vulnerability in Safari that allowed unauthorized
IPhone: websites to access your camera on iOS and macOS
Imagine you are on a popular website when all of a sudden an ad banner hijacks your camera and microphone to spy on you. That is exactly what this vulnerability would have allowed.
This vulnerability allowed malicious websites to masquerade as trusted websites when viewed on Desktop Safari (like on Mac computers) or Mobile Safari (like on iPhones or iPads).
Hackers could then use their fraudulent identity to invade users’ privacy. This worked because Apple lets users permanently save their security settings on a per-website basis.
If the malicious website wanted camera access, all it had to do was masquerade as a trusted video-conferencing website such as Skype or Zoom.
Is an ad banner watching you?
I posted the technical details of how I found this bug in a lengthy walkthrough here.
My research uncovered seven zero-day vulnerabilities in Safari (CVE-2020-3852, CVE-2020-3864, CVE-2020-3865, CVE-2020-3885, CVE-2020-3887, CVE-2020-9784, & CVE-2020-9787), three of which were used in the kill chain to access the camera.
Put simply – the bug tricked Apple into thinking a malicious website was actually a trusted one. It did this by exploiting a series of flaws in how Safari was parsing URIs, managing web origins, and initializing secure contexts.
* victim in screen recording has previously trusted skype.com