Bugs that let sites hijack Mac and iPhone cameras fetch $75k bounty

Ryan Pickren

A security bug that gave malicious hackers the ability to access the cameras of Macs, iPhones, and iPads has fetched a $75,000 bounty to the researcher who discovered it.

In posts published here and here, researcher Ryan Pickren said he discovered seven vulnerabilities in Safari and its Webkit browser engine that, when chained together, allowed malicious websites to turn on the cameras of Macs, iPhones, and iPads. Pickren privately reported the bugs, and Apple has since fixed the vulnerabilities and paid the researcher $75,000 as part of the company’s bug bounty program.

Apple tightly restricts the access that third-party apps get to device cameras. For Apple apps, the restrictions aren’t quite as stringent. Even then, Safari requires users to explicitly list the sites that are allowed camera access. And beyond that, cameras can only have access to those sites when they are delivered in a secure context, meaning when the browser has high confidence the page is being delivered through an HTTPS connection.

When Skype.com isn’t Skype.com

Pickren devised an exploit chain that bypassed these protections. By exploiting multiple vulnerabilities he discovered, the researcher was able to force Safari to treat his malicious proof-of-concept website as if it was Skype.com, which for demonstration purposes was included in the list of trusted sites. (Skype.com doesn’t actually support Safari, but Pickren’s exploit can spoof any site, including Zoom and Google Hangouts, that does.) The video below shows the result.

The hack in desktop format.

As is clear, visiting a site that exploited these bugs allowed it to masquerade as any other site. In the event Safari trusted the spoofed site to access the camera, the malicious site was able to immediately view whatever was in view of the targeted device. The video also makes clear that a video camera would appear in the address bar as soon as the access began. Additionally, Mac cameras would turn on a green light. While alert users would know their cameras had been activated, less experience or vigilant users might not notice.

“Put simply—the bug tricked Apple into thinking a malicious website was actually a trusted one,” Pickren wrote. “It did this by exploiting a series of flaws in how Safari was parsing URIs, managing Web origins, and initializing secure contexts.”

His malicious website used JavaScript to directly access the targeted webcam without asking for or getting permission. Pickren said that exploits could have used “any JavaScript code with the ability to create a popup.” That means the camera grab could be carried out not just by stand-alone websites, but also embedded ad banners, sites rendered in an HTML iframe tag, or malicious browser extensions.

The longer of the Pickren’s two posts, located here, provides a deep dive into the technical details. In an email, Pickren summarized the exploit this way:

My malicious website used a “data URL” to generate a “blob URL” and then used the Location.replace() web API to navigate to it. This tricked Safari into accidentally giving me a malformed “origin” (CVE-2020-3864). With this malformed origin, I used the window.history API to change my URL to “blob://skype.com.” From there, I effectively nulled-out my origin to trick Safari into thinking I was in a “secure context” (CVE-2020-3865). Because Safari previously ignored the URL schemes when applying website permissions (CVE-2020-3852), I was able to leverage all of the permissions that the victim granted to the real skype.com.

While the attack chain exploited the vulnerabilities tracked as CVE-2020-3864, CVE-2020-3865, and CVE-2020-3852, Pickren discovered four other flaws that are indexed as CVE-2020-3885, CVE-2020-3887, CVE-2020-9784, & CVE-2020-9787. Apple fixed most of them in late January (see advisories here and here, and patched the remainder last month.