Apple's reputation is unshakeable in the market when it comes to device security. Over the years, the Safari browser has shown signs of bugs that can be exploited by a hacker to take over the victim's microphone and camera on macOS and iOS devices.
Patched Vulnerabilities Potential for Massive Security Breach
A security researcher shared his new findings this week that revealed vulnerabilities that would allow hackers to exploit Safari bugs, allowing them to take over microphone and webcams of Apple devices.
While the vulnerabilities have been patched in January and March updates, the security flaw would have allowed the attacker to spy on their victim remotely by simply getting them to click on a malicious link.
According to Rick Pickren, the security researcher who exposed the vulnerabilities to Apple explained that Safari encourages a user to save their preferences for site permissions such as access to microphone and camera. So, the attacker could have used the Safari bug to trick the user into clicking a malicious link and make the browser view it as an authentic website, granting them access. Simply put, the attacker would then be allowed to simply take pictures or turn on the microphone or even screen share.
How Does It Work?
When Pickren delved into the Apple Safari browser to unearth unusual behavior, he was able to find seven vulnerabilities, out of which three could be used to hack the system's camera.
He further explains that when a user gives permission to a certain website, Safari will apply the permission to all the site variations of that particular website, such as www.example.com or http://example.com. All hackers have to do is create a special URL by using the vulnerability that would trick the browser.
Pickren compiled his research results and reported it to Apple in December 2019, working shoulder-to-shoulder with Apple's security team to patch the vulnerabilities.
Apple's bug bounty program's scope was expanded in December to cover more devices and products. Pickren says he received $75,000 from the Cupertino tech giant for his submission.