8.6 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
A researcher who showed Apple how its webcams can be hijacked via a universal cross-site scripting bug (UXSS) Safari bug has been awarded what is reportedly a record $100,500 bug bounty. The bug could be used by an adversary as part of an attack to gain full access to every website ever visited by the victim.
The bug-finder is Ryan Pickren, founder of proof-of-concept sharing platform BugPoC and a former Amazon Web Services security engineer. This isn’t the first time he’s found bugs that let him hoodwink Apple’s cameras: In 2020, he discovered vulnerabilities in the Safari browser that could be used to snoop on iPhones, iPads and Mac computers using their microphones and cameras, just by convincing a target to click one malicious link.
> Great research once again from Ryan Pickren for those looking for Apple bugs: Gaining unauthorized camera access via Safari UXSS<https://t.co/SP8duGpq8T>
>
> — Jon Bottarini (@jon_bottarini) January 25, 2022
This time around, according to Pickren, he found a series of flaws – in Safari 15 and iCloud Sharing – that could again lead to unauthorized camera access, which would again allow an attack to be launched from a malicious site.
But his more recent find is worse: It could also enable a shared iCloud document to “hack every website you’ve ever visited,” he said, and could steal permissions to use multimedia – in other words, the microphone, camera and screensharing.
Pickren reported that the same hack could result in an attacker gaining full access to a device’s entire filesystem, by exploiting Safari’s webarchive files, which are the files Safari creates as an alternative to HTML when it saves a website locally.
Pickren submitted the bugs to Apple last July. The iPhone-maker patched the issues earlier this month and subsequently awarded the $100,500 bug bounty to Pickren.
The issues are found in ShareBear, a behind-the-scenes iCloud file-sharing app that prompts users when they try to open a shared document for the first time – and only the first time. Since users aren’t presented with the display again once they’ve accepted the prompt to open the file, Pickren found that anyone who has access to the file can alter the file’s content after that occurs.
“ShareBear will then download and update the file on the victim’s machine without any user interaction or notification,” Pickren explained in his technical write-up. “In essence, the victim has given the attacker permission to plant a polymorphic file onto their machine and the permission to remotely launch it at any moment.”
These three steps are involved in using ShareBear to download and open a webarchive file:
Stages of ShareBear attack. Source: Ryan Pickren.
Pickren identified four zero-day bugs, the following of which have received CVE tracking numbers:
“This project was an interesting exploration of how a design flaw in one application can enable a variety of other, unrelated, bugs to become more dangerous,” Pickren concluded. “It was also a great example of how even with macOS Gatekeeper enabled, an attacker can still achieve a lot of mischief by tricking approved apps into doing malicious things.”
Check out our freeupcoming live and on-demand online town halls** – unique, dynamic discussions with cybersecurity experts and the Threatpost community.**
appleinsider.com/articles/22/01/25/apple-pays-record-100500-to-student-who-found-mac-webcam-hack
bugpoc.com/
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30861
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30975
en.wikipedia.org/wiki/Gatekeeper_(macOS)
media.threatpost.com/wp-content/uploads/sites/103/2022/01/31123626/Staging-the-Attack-e1643650600392.jpg
media.threatpost.com/wp-content/uploads/sites/103/2022/01/31123732/Mount-Disk-Image.jpg
media.threatpost.com/wp-content/uploads/sites/103/2022/01/31123814/Launch-URL-file.jpg
support.apple.com/en-us/HT212869
support.apple.com/en-us/HT212869
t.co/SP8duGpq8T
threatpost.com/apple-safari-flaws-webcam-access/154476/
threatpost.com/apples-bug-bounty-opens-1m-payout/151334/
threatpost.com/category/webinars/
twitter.com/jon_bottarini/status/1486089548732014596?ref_src=twsrc%5Etfw
www.oreilly.com/library/view/applescript-the-definitive/0596005571/ch04s07.html
www.ryanpickren.com/safari-uxss
www.ryanpickren.com/safari-uxss
8.6 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P