Apple patched the vulnerabilities in January and March updates. But before the fixes, all a victim would have needed to do is click one malicious link and an attacker would have been able to spy on them remotely.
“Safari encourages users to save their preferences for site permissions, like whether to trust Skype with microphone and camera access,” says Ryan Pickren, the security researcher who disclosed the vulnerabilities to Apple. “So what an attacker could do with this kill chain is make a malicious website that from Safari’s perspective could then turn into ‘Skype’. And then the malicious site will have all the permissions that you previously granted to Skype, which means an attacker could just start taking pictures of you or turn on your microphone or even screen-share.”
The bugs Pickren found all stem from seemingly minor oversights. For example, he discovered that Safari’s list of the permissions a user has granted to websites treated all sorts of URL variations as being part of the same site, like https://www.example.com, http://example.com, and fake://example.com. By “wiggling around,” as Pickren puts it, he was able to generate specially crafted URLs that could work with scripts embedded in a malicious site to launch the bait-and-switch that would trick Safari.
“I just kind of hammered the browser with really weird cases until Safari got confused and gave an origin that didn’t make sense,” he says. “And eventually the bugs could all kind of bounce from one to the next. Part of this is that some of the bugs were really, really old flaws in the WebKit core from years ago. They probably were not as dangerous as they are now just because the stars lined up on how an attacker would use them today.”
A hacker who tricked a victim into clicking their malicious link would be able to quietly launch the target’s webcam and microphone to capture video, take photos, or record audio. And the attack would work on iPhones, iPads, and Macs alike. None of the flaws are in Apple’s microphone and webcam protections themselves, or even in Safari’s defenses that keep malicious sites from accessing the sensors. Instead, the attack surmounts all of these barriers just by generating a convincing disguise.
Pickren submitted seven vulnerabilities to Apple’s bug bounty program in mid-December and says he got a response that the company had validated the bugs the next day. While an attacker would only exploit three of the bugs to take over webcams in the chain Pickren envisioned, he found other, related flaws along the way that he submitted as well. Pickren says that part of the reason he encountered so many extra bugs was that he was looking for an attack chain that would work on both iOS and macOS—and Safari is designed slightly differently for each.