A security researcher has disclosed vulnerabilities in Apple’s Safari browser that can be used to snoop on iPhones, iPads and Mac computers using their microphones and cameras. To exploit the flaws in a real-world attack, all an attacker would need to do is convince a victim to click one malicious link.

Security researcher Ryan Pickren has revealed details on seven flaws in Safari, including three that could be used in a kill chain to access victims’ webcams. The vulnerabilities were previously submitted to Apple via its bug-bounty program and have been patched – however, technical details of the flaws, including a proof of concept (PoC) attack, were kept under wraps until Pickren’s recent disclosure.

“Imagine you are on a popular website when all of a sudden an ad banner hijacks your camera and microphone to spy on you. That is exactly what this vulnerability would have allowed,” said Pickren, in an analysis of the vulnerabilities last week. ​”This vulnerability allowed malicious websites to masquerade as trusted websites when viewed on the desktop version of Safari (like on Mac computers) or mobile Safari (like on iPhones or iPads).”



While normally each app must be explicitly granted permissions by users to access devices’ cameras and microphones, Apple’s own apps do not require them, including Safari. Furthermore, new web technologies, including the MediaDevices Web API (an interface providing access to connected media input devices like cameras and microphones, as well as screen sharing), allow certain websites to utilize Safari’s permissions to access the camera directly. Pickren said that this feature is “great for web-based video-conferencing apps such as Skype or Zoom. But… this new web-based camera tech undermines the OS’s native-camera security model.”

With these issues in mind, Pickren discovered three vulnerabilities in the macOS and iOS versions of Safari 13.0.4 (CVE-2020-3885, CVE-2020-3887, CVE-2020-9784), which eventually allowed him access to the webcam sans victim permission.

Specifically, the flaws stem from a perfect storm of small errors in how Safari parses Uniform Resource Identifiers (including URLs/web addresses); manages web origins (origins are defined by the protocol and web domain used) and ports; and initializes secure contexts (a secure context is a window where content has been delivered securely via HTTPS/TLS).

An attacker could take advantage of these errors by creating a specially crafted URL that would utilize scripts embedded in a malicious site. The URL would be able to trick Safari into thinking an attacker-controlled website is in the “secure context” of a trusted website, such as Zoom or Skype. Safari would then give the attackers behind the link untethered permission to access the webcam via the MediaDevices Web API.

“If a malicious website strung these issues together, it could use JavaScript to directly access the victim’s webcam without asking for permission,” he said in a technical walk through of the attack. “Any JavaScript code with the ability to create a popup (such as a standalone website, embedded ad banner, or browser extension) could launch this attack.” Once a user clicks on those website URLs, ad banners or extensions, the permissions to access their camera and microphone would be automatically granted to attackers.

Pickren said that he reported the seven flaws (CVE-2020-3852, CVE-2020-3864, CVE-2020-3865, CVE-2020-3885, CVE-2020-3887, CVE-2020-9784, and CVE-2020-9787) in December 2019 to Apple as part of their bug-bounty program (which was made public to the research community in December) – winning the researcher $75,000. The top reward in the “Network Attack without User Interaction: Zero-Click Unauthorized Access to Sensitive Data” category, in which Pickren submitted his findings, is $500,000.

Apple patched the webcam vulnerabilities in a January 28 update (for Safari version 13.0.5) and the remaining four flaws were patched in March. Threatpost has reached out to Apple for further comment.

The disclosure comes on the heels of a separate report last week of two Zoom zero-day flaws in the macOS client version of the web conferencing platform. The Zoom vulnerabilities could give local, unprivileged attackers root privileges, and allow them to access victims’ microphone and camera.

Do you suffer from Password Fatigue? On Wednesday April 8 at 2 p.m. ET join Duo Security and Threatpost as we explore a passwordless future. This FREE webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We’ll also explore how teaming with Microsoft can reduced reliance on passwords. Please register here and dare to ask, “Are passwords overrated?” in this sponsored webinar.