01/27/2022

Safari Flaws Exposed Webcams, Online Accounts and More

Apple awarded $100,500 to the researcher who uncovered it

Usually the worst thing that happens when you have dozens of browser tabs open is you can't find the one that suddenly starts blasting random ads. But a group of macOS vulnerabilities—fixed by Apple at the end of last year—could have exposed your Safari tabs and other browser settings to attack, opening the door for hackers to grab control of your online accounts, turn on your microphone, or take over your webcam.

MacOS has built-in protections to prevent this sort of attack, including Gatekeeper, which confirms the validity of the software your Mac runs. But this hack got around those safeguards by abusing iCloud and Safari features that macOS already trusts.

While poking for potential weaknesses in Safari, independent security researcher Ryan Pickren started looking at iCloud's document-sharing mechanism because of the trust inherent between iCloud and macOS. When you share an iCloud document with another user, Apple uses a behind-the-scenes app called ShareBear to coordinate the transfer. Pickren found that he could manipulate ShareBear to offer victims a malicious file.

Please select this link to read the complete article from WIRED.