Usually the worst What happens when you have opened dozens of browser tabs is that you can’t find the one that suddenly starts blasting random ads. But a group of macOS vulnerabilities — fixed by Apple late last year — could have left your Safari tabs and other browser settings open to attack, opening the door for hackers to take control of your online accounts, turn your microphone on or off take over your webcam.
MacOS has built-in protections to prevent this type of attack, including Gatekeeper, which confirms the validity of the software running on your Mac. but this hack circumvented these safeguards by abusing iCloud and Safari features that macOS already trusts. Looking for potential vulnerabilities in Safari, independent security researcher Ryan Pickren began investigating iCloud’s document sharing mechanism due to the trust between iCloud and macOS. When you share an iCloud document with another user, Apple uses a background app called ShareBear to coordinate the transfer. Pickren found he could manipulate ShareBear to offer victims a malicious file.
In fact, the file itself doesn’t even have to be malicious to begin with, making it easier to offer victims something convincing and trick them into clicking. Pickren found that because of the trusting relationship between Safari, iCloud, and ShareBear, an attacker could actually later access what they shared with a victim and silently swap the file for a malicious file. All of this can happen without the victim getting a new prompt from iCloud or realizing anything has changed.
Once the hacker orchestrates the attack, they can essentially take over Safari, see what the victim sees, access the accounts the victim is logged into, and abuse permissions the victim has granted websites to access their camera and access his microphone. An attacker could also access other files stored locally on the victim’s Mac.
“The attacker basically punches a hole in the browser,” says Ryan Pickren, the security researcher who disclosed the vulnerabilities to Apple. “So if you’re logged into Twitter.com on a tab, I could jump in there and do whatever you can do from Twitter.com. But this has nothing to do with Twitter’s servers or security, I as an attacker am just taking on the role that you already have in your browser.”
In October, Apple patched the vulnerability in Safari’s WebKit engine and made fixes in iCloud. And in December patched it a related vulnerability in its code automation and editing tool Script Editor.
“This is an impressive exploit chain,” says Patrick Wardle, a longtime researcher and founder of the nonprofit macOS security organization Objective-See. “It’s clever in that it exploits design flaws and creatively uses built-in macOS features to bypass defenses and compromise the system.”
Pickren previously discovered a number of Safari bugs that could have enabled webcam takeover. He announced the new findings in mid-July about Apple’s bug bounty program, and the company paid him $100,500. The amount is not unprecedented for Apple’s disclosure program, but it reflects the seriousness of the shortcomings. 2020 for example the company Paid $100,000 for a critical flaw in its Sign In With Apple single sign-on system.
However, Safari and Webkit have unique security challenges because they are such huge platforms. And Apple had trouble fixing the problem, even if Vulnerabilities are public for weeks or months.