Security engineer and hacker Ryan Pickren found seven zero-day vulnerabilities in Safari and was able to construct a kill chain using just three of them to hack the iPhone camera successfully. The vulnerabilities also affected the MacBook’s camera.
In December 2019, Pickren decided to prod into Safari for iOS and macOS and “hammer the browser with obscure corner cases” in hopes to discover some weird behavior. He focused particularly on the camera model, which despite being “pretty intense,” had some security loopholes
To cut a very long and technical story short: Pickren found a total of seven zero-day vulnerabilities in Safari (CVE-2020-3852, CVE-2020-3864, CVE-2020-3865, CVE-2020-3885, CVE-2020-3887, CVE-2020-9784, & CVE-2020-9787) of which three could be used in the camera hacking kill chain. The vulnerabilities involved the way that Safari parsed Uniform Resource Identifiers, managed web origins and initialized secure contexts. Yes, this involved tricking a user into visiting a malicious website. Still, that website could then directly access the camera provided it had previously trusted a video conferencing site such as Zoom, for example.
Pickren reported the issues to Apple in mid-December through the company’s Bug Bounty program. Apple validated all the seven bugs and shipped a fix for the 3-bug camera kill chain in Safari 13.0.5 update which was released on January 28. The remaining four vulnerabilities were less severe and fixed by Apple in the Safari 13.1 release on March 24. Apple paid Pickren $75,000 for discovering these vulnerabilities.
“I really enjoyed working with the Apple product security team when reporting these issues,” Pickren told Forbes, “the new bounty program is absolutely going to help secure products and protect customers. I’m really excited that Apple embraced the help of the security research community.”
As Pickren himself puts it, the most important takeaway from the security vulnerability is that “users should never feel totally confident that their camera is secure” irrespective of which OS or device they are using.[Via Forbes]