![](\"https:\/\/media.wired.com\/photos\/61f034d2f355cd4b798a010e\/master\/pass\/Sec_Safari_GettyImages-1270683438.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Lily Hay Newman| Date: Wed, 26 Jan 2022 00:39:25 +0000<\/strong><\/p>\n Lily Hay Newman<\/a><\/span><\/span><\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n Usually the worst<\/span> thing that happens when you have dozens of browser tabs open is you can't find the one that suddenly starts blasting random ads. But a group of macOS vulnerabilities\u2014fixed by Apple at the end of last year\u2014could have exposed your Safari tabs and other browser settings to attack, opening the door for hackers to grab control of your online accounts, turn on your microphone, or take over your webcam.<\/p>\n MacOS has built-in protections to prevent this sort of attack, including Gatekeeper, which confirms the validity of the software your Mac runs. But this hack<\/a> got around those safeguards by abusing iCloud and Safari features that macOS already trusts. While poking for potential weaknesses in Safari, independent security researcher Ryan Pickren started looking at iCloud's document-sharing mechanism because of the trust inherent between iCloud and macOS. When you share an iCloud document with another user, Apple uses a behind-the-scenes app called ShareBear to coordinate the transfer. Pickren found that he could manipulate ShareBear to offer victims a malicious file.\u00a0<\/p>\n \u201cThe attacker is basically punching a hole in the browser.\u201d<\/p>\n Ryan Pickren, security researcher<\/p>\n In fact, the file itself doesn't even have to be malicious at first, making it easier to offer victims something compelling and trick them into clicking. Pickren found that because of the trusted relationship between Safari, iCloud, and ShareBear, an attacker could actually revisit what they shared with a victim later and silently swap the file for a malicious one. All of this can happen without the victim receiving a new prompt from iCloud or realizing that anything has changed.\u00a0<\/p>\n Once the hacker has staged the attack, they can essentially take over Safari, see what the victim sees, access the accounts the victim is logged into, and abuse permissions the victim has granted websites to access their camera and microphone. An attacker could also access other files stored locally on the victim's Mac.<\/p>\n \u201cThe attacker is basically punching a hole in the browser,\u201d says Ryan Pickren, the security researcher who disclosed the vulnerabilities to Apple. \u201cSo if you\u2019re signed in to Twitter.com on one tab, I could jump into that and do everything you can from Twitter.com. But that\u2019s nothing to do with Twitter\u2019s servers or security; I as the attacker am just assuming the role that you already have in your browser.\u201d<\/p>\n In October, Apple patched<\/a> the vulnerability in Safari's WebKit engine and made revisions in iCloud. And in December it patched<\/a> a related vulnerability in its Script Editor code automation and editing tool.<\/p>\n \u201cThis is an impressive exploit chain,\u201d says Patrick Wardle, a longtime researcher and founder of the macOS security nonprofit Objective-See. \u201cIt's clever that it exploits design flaws and creatively uses built-in macOS capabilities to circumvent defense mechanisms and compromise the\u00a0system.\u201d<\/p>\n Pickren previously discovered a series of Safari bugs that could have enabled webcam takeovers<\/a>. He disclosed the new findings through Apple's bug bounty program in mid-July, and the company awarded him $100,500. The amount is not unprecedented for Apple's disclosure program, but its size reflects the severity of the flaws. In 2020, for example, the company paid out $100,000<\/a> for a crucial flaw in its Sign In With Apple single sign-on system.<\/p>\n Safari and Webkit, though, have a particular set of security challenges<\/a> because they are such massive platforms. And Apple has had a difficult time getting a handle<\/a> on the problem, even when<\/a> vulnerabilities are public for weeks or months.\u00a0<\/p>\n \u201cAs systems become more complex, they introduce more bugs, and that\u2019s especially true for web browsers these days,\u201d Pickren says. \u201cSafari can do so many things, it\u2019s really no surprise that there are going to be more bugs as more features come out.\u201d<\/p>\n Such bugs may be common, but that doesn't make them any less serious. Attackers regularly take advantage of browser vulnerabilities for both criminal and nation-state hacking. For example, they are commonly exploited in watering hole attacks<\/a> that target visitors of tainted websites. And hackers actively use unpatched \u201czero-day\u201d browser vulnerabilities they've discovered or purchased, along with older bugs that they can exploit opportunistically when targets haven't updated their browsers.\u00a0<\/p>\n \u201cA bug like this really stresses how crucial it is to keep your browser up to date,\u201d Pickren says. \u201cIt's an easy thing to push off, but it's ultra-important.\u201d<\/p>\n It's solid advice, regardless of your browser of choice.<\/p>\n