Apple has awarded a cybersecurity student $100,500 (roughly Rs 75,54,000) in bounty rewards for finding a bug in Apple’s macOS, which enabled malicious actors to access the victims’ logged-in online accounts and even get into their webcams.
Ryan Pickren, reported the flaw to Apple last summer, and was patched earlier this month. Pickren is no stranger to Apple bugs, as he uncovered an iPhone and Mac camera vulnerability earlier in April 2020. Now, he has exposed another Mac webcam bug that allows attackers to breach into the device and access sensitive user information.
According to a report by AppleInsider, this Apple Mac webcam bug was related to a series of issues with iCloud and Safari browser.
The vulnerability grants the hacker "full access to every website you've visited in Safari, meaning that if you're visiting my evil website on one tab, and then your other tab, you have Twitter open, I can jump into that tab and do everything you can from that screen. So, it does allow me to fully perform an account takeover on every website you visited in Safari," Pickren explained in a blog post.
According to Pickren, it all began with exploiting the Safari browser (Safari v15 when he attempted this) and gaining access to the webarchive files. Webarchives are local storage for the Safari browser where it saves local copies of websites to open them faster.
This wouldn’t be a problem, were it not for the simple fact that the downloaded files could later be altered by the author. So, a victim could download an innocent .PNG file, only to have it transform into a malicious webarchive file.
“In essence, the victim has given the attacker permission to plant a polymorphic file onto their machine and the permission to remotely launch it at any moment. Yikes. Agreed to view my PNG file yesterday? Well, today it's an executable binary that will be automatically launched whenever I want,” Picker explained in a further blog post.
To open the webarchive file, Pickren further explains, he needed to bypass the Gatekeeper restriction, which turned out to be relatively simple. He used a fileloc to point to a local app (a technique known as Arbitrary File Execution) which was a great example of how even with macOS Gatekeeper enabled, an attacker could trick approved apps into performing malicious tasks
Typically, researchers disclose the exploits after the company has fixed the issue, which explains why Pickren is posting about this now. The reason is to ensure that the flaw is patched before attackers can start exploiting it.