A security vulnerability in Apple’s Safari browser allowed intruders to access users’ camera feeds and microphones.
The flaw was discovered by security researcher Ryan Pickren, who disclosed the issue to Apple before publishing his findings publicly.
Pickren explained that the bug was caused by oversights in the way that Safari handled permissions for sites.
“Safari encourages users to save their preferences for site permissions, like whether to trust Skype with microphone and camera access,” Pickren said.
The attacker could create a malicious website which tricks Safari into identifying it as a legitimate page, such as Skype.
This then grants the malicious site all of the permissions that were previously allowed to Skype, letting an attacker take pictures or videos of targets, record their sound, or even share screens, Pickren said.
In order for a web browser to use your stored preferences for a particular web page, it needs to know which websites you are currently viewing.
Pickren discovered that unlike other browsers, Safari was not using origins to keep track of a user’s “currently open websites”.
He opened several web pages using variations of a Uniform Resource Identifier (URI) and found that Safari was only detecting a single website.
For his testing, he used “https://example.com”, “https://www.example.com”, “http://example.com” and “fake://example.com”. All of these URIs were detected as “example.com”.
“After some more experimentation, I deduced that Safari was likely running a Generic URI Syntax parser against all open windows to get the URIs’ hostnames, then doing some extra parsing on those,” Pickren explained.
Safari was effectively accepting slight variations in URIs as being from the same authorised site, granting the malicious website the same permissions as the true site.
Pickner proceeded to illustrate this by crafting his own URI for Skype which managed to fool the browser.
If a user clicked on a link which directs to the URI, an attacker would be able to use the associated permissions of the legitimate website.
Apple fixes issue
Pickren said that the attack would work on devices running iOS and MacOS, including iPhones, iPads, and Macs.
The exploit no longer exists, however, as Apple rolled out patches that fixed the vulnerability in January and March.
Pickner provided a working demo of the issue, which can be found here. Use the password “blahWrasse59” to access the demo. The link must be viewed from Safari version 13.0.4.
The GIF below shows what would happen when a user clicks on the malicious link.