Usually the worst what happens when you open dozens of browser tabs is that you can’t find a tab that suddenly starts throwing random ads. But a group of macOS vulnerabilities — fixed by Apple late last year — could expose your Safari tabs and other browser settings, opening the door for hackers to take control of your online accounts. your phone, turn on your microphone, or take it through your webcam.
MacOS has built-in protections to prevent this type of attack, including Gatekeeper, which validates the software your Mac runs. But this hack bypassed those protections by abusing iCloud and Safari features that macOS had trusted. While looking for potential weaknesses in Safari, independent security researcher Ryan Pickren began looking into iCloud’s document sharing mechanism because of the inherent trust between iCloud and macOS. When you share iCloud documents with other users, Apple uses a behind-the-scenes app called “ShareBear” to coordinate the transfer. Pickren discovered that he could manipulate ShareBear to provide victims with a malicious file.
In fact, the file itself isn’t even malicious at first, making it easy to offer victims something appealing and trick them into clicking. Pickren found that because of the trust relationship between Safari, iCloud, and ShareBear, an attacker could actually re-access what they shared with the victim later and silently swap this file for a malicious one. harmful. All of these can happen without the victim receiving a new reminder from iCloud or realizing that things have changed.
Once a hacker has staged an attack, they can essentially hijack Safari, see what the victim sees, access the accounts where the victim is logged in, and abuse the permissions the victim has. granted websites to access their cameras and microphones. The attacker can also access other files stored locally on the victim’s Mac.
“The attacker is basically punching a hole in the browser,” said Ryan Pickren, a security researcher who disclosed the vulnerabilities to Apple. “So if you’re logged into Twitter.com on a tab, I can jump in there and do everything you can from Twitter.com. But that has nothing to do with Twitter’s servers or security, I as an attacker just assuming the role you already have in your browser. “
In October, Apple patched vulnerability in Safari’s WebKit engine and made modifications in iCloud. And in December it has been patched a related vulnerability in its Script Editor code editing and automation tool.
“This is an impressive chain of exploits,” said Patrick Wardle, a longtime researcher and founder of the macOS security nonprofit Objective-See. “It’s clever that it exploits design flaws and creatively uses macOS’s built-in capabilities to circumvent defenses and compromise systems.”
Pickren previously discovered a bunch of possible Safari bugs enabled webcam takeover. He disclosed the new findings through Apple’s bug bounty program in mid-July, and the company rewarded him with $100,500. This amount is not unprecedented for Apple’s disclosure program, but reflects the severity of the flaws. For example, in 2020, the company paid 100,000 dollars for a critical vulnerability in the Sign in with Apple single sign-on system.
Safari and Webkit, however, have a series of specific security challenges, because they’re huge platforms. And Apple was in trouble get a handle about the problem, even Vulnerabilities are public for weeks or months.
