Home / Mobile Phones / Iphone / IPhone: Unauthorized access to cameras in Safari on macOS and iOS

IPhone: Unauthorized access to cameras in Safari on macOS and iOS

IPhone:

IPhone: I discovered a vulnerability in Safari that allowed unauthorized

IPhone: websites to access your camera on iOS and macOS 

Imagine you are on a popular website when all of a sudden an ad banner hijacks your camera and microphone to spy on you. That is exactly what this vulnerability would have allowed.

This vulnerability allowed malicious websites to masquerade as trusted websites when viewed on Desktop Safari (like on Mac computers) or Mobile Safari (like on iPhones or iPads).

Hackers could then use their fraudulent identity to invade users’ privacy. This worked because Apple lets users permanently save their security settings on a per-website basis.

If the malicious website wanted camera access, all it had to do was masquerade as a trusted video-conferencing website such as Skype or Zoom.

Is an ad banner watching you?

I posted the technical details of how I found this bug in a lengthy walkthrough here.

My research uncovered seven zero-day vulnerabilities in Safari (CVE-2020-3852, CVE-2020-3864, CVE-2020-3865, CVE-2020-3885, CVE-2020-3887, CVE-2020-9784, & CVE-2020-9787), three of which were used in the kill chain to access the camera.

Put simply – the bug tricked Apple into thinking a malicious website was actually a trusted one. It did this by exploiting a series of flaws in how Safari was parsing URIs, managing web origins, and initializing secure contexts.

If a malicious website strung these issues together, it could use JavaScript to directly access the victim’s webcam without asking for permission. Any JavaScript code with the ability to create a popup (such as a standalone website, embedded ad banner, or browser extension) could launch this attack.

* victim in screen recording has previously trusted skype.com

Read More

Share this:

Share

About admin

Check Also

IPhone: Google makes it easier to use security keys on iOS devices

IPhone: Google makes it easier to use security keys on iOS devices

Google is making it easier to use security keys and its Advanced Protection Program to secure Google Accounts on iOS devices. Thanks to changes rolling out today, anyone with an Apple device (iOS 13.3 and above) will be able to use Google’s Titan Security Keys to secure both work and personal Google Accounts.Because both USB-A…

Leave a Reply

Your email address will not be published. Required fields are marked *