Are you a big Apple fan ? Well here’s an alarming discovery that may make you think about covering that selfie camera on your iPhone or MacBook or whichever Apple device you use.
Think about all the “legitimate” websites you visited that showed a pop-up that your were in such a hurry to get rid of, that you actually clicked “I Agree” in order to give permission to the website to access the camera feature on your device. Scary isn’t it?
Using Apple’s Safari browser, hackers may can remotely access your device’s camera, bluetooth, wifi, microphone, location etc. In some cases, your password that may appear encrypted in a “dotted” format, might be easily decoded by the hackers.
Ryan Pickren, known as an “ethical hacker”, received a $75,000 bounty for demonstrating the vulnerabilities of Apple devices and several hacks that helped them fix a total of 7 openings that were easily accessible to the hackers. Thankfully, the discovery was made and the issue was resolved before it was used by the bad guys, therefore, with the help of iOS version 13.0.5 followed by 13.1 shortly after.
Pickren said in an interview, “If the malicious website wanted camera access, all it had to do was masquerade as a trusted video-conferencing website such as Skype or Zoom.”
Although Safari has its own “per-site permission” process that allows users to grant or deny to websites and apps to use certain features like camera, microphone, location etc, the vulnerabilities discovered by Pickren would have allowed hackers to access these features regardless of permission by leveraging an exploit chain that strings together multiple gaps in the system. This hack method only works for the duration of the user actively using the website.
According to the research, even plaintext passwords can be stolen as Safari failed to determine if the websites adhere to the “same-origin policy“, therefore granting access to a different website that should’ve never obtained permission in the first place. This can easily compromise user passwords programmed for auto-fill on various trusted websites.