$100,500 bug bounty awarded by Apple for Vulnerability in Safari
Most of the time, when you have dozens of tabs open in your browser, it‘s impossible to find the one that suddenly starts blasting ads. An Apple fix for macOS security flaws at the end of last year meant that Safari tabs and other browser settings were vulnerable to attack, which could have allowed hackers to take control of your online accounts, turn on your microphone, and take control of your webcam.
Gatekeeper, which confirms the validity of the software your Mac runs, is one of the protections built into Mac OS to prevent this kind of attack. But this hack evaded those safeguards by exploiting iCloud and Safari features macOS already trusts.
Due to the trust between iCloud and macOS, independent security researcher Ryan Pickren started looking at iCloud’s document-sharing mechanism when investigating potential issues in Safari. Apple uses a background app called ShareBear to coordinate the transfer of iCloud documents. Pickren found that he could manipulate ShareBear to deliver malicious files to victims.
Files don‘t even need to be malicious to trick victims into clicking; victims just need something compelling to lure them in. According to Pickren, an attacker could silently swap the shared file for a malicious one based on the trust relationship between Safari, iCloud, and ShareBear. The victim may not even realize that anything has changed because they do not receive a new notification from iCloud.
After the hacker stages the attack, they can basically take over Safari, see what their victim sees, access accounts they are logged into, and abuse websites’ permission to access their camera and microphone. Also, the attacker would be able to access other files stored locally on the victim’s system
Apple plugged the vulnerability in Safari’s WebKit engine and revised its iCloud service in October. In December, it plugged a related problems in its Script Editor code automation tool. In mid-July, Pickren disclosed a series of Safari bugs that could have enabled webcam takeovers, and Apple awarded him $100,500 in recognition.