{"id":18135,"date":"2022-02-02T11:10:31","date_gmt":"2022-02-02T19:10:31","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/02\/02\/news-11868\/"},"modified":"2022-02-02T11:10:31","modified_gmt":"2022-02-02T19:10:31","slug":"news-11868","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/02\/02\/news-11868\/","title":{"rendered":"Apple fixes Mac bug that could have allowed takeover of webcams and browser tabs"},"content":{"rendered":"

Credit to Author: Christopher Boyd| Date: Thu, 27 Jan 2022 11:43:49 +0000<\/strong><\/p>\n

A researcher has picked up a $100,500 bounty from Apple after discovering a rather nasty method of gaining control of other people\u2019s Macs<\/a>. The issue, discovered lurking in Safari by Ryan Pickren, could make use of rogue websites to perform a number of dubious actions.<\/p>\n

It begins, as so many attacks do, with a single click.<\/p>\n

“Check out my website…”<\/h2>\n

The attacker starts by steering the victim to a specific website and getting them to click on a \u201cplay\u201d button via a popup. The bug then deploys files which gives the attacker full control. There\u2019s a peripheral angle, and a browsing angle, to this attack.<\/p>\n

First off, the peripheral angle. Falling foul of this one activates the Mac\u2019s webcam and allows an attacker to spy on you. This is, of course, never a good thing in the privacy stakes. <\/p>\n

This is actually the second webcam bug found by this researcher. In 2020, Pickren found a zero-day<\/a> which granted camera access, which Apple fixed. Turns out there\u2019s always another way to get things done, and this is why webcam covers are, at a minimum, a very good idea.<\/p>\n

Secondly, we have the browsing angle. It\u2019s not just possible to hijack the webcam with this one. The attacker could also access and interact with anything open in Safari. Essentially, this is a full account takeover in a suddenly very hostile web browsing experience. Have your email account open? The attacker can access it. Social media pages? Same again. About to comment on a local news story involving a lost kitten and a tree? Buckle up, because what\u2019s posted may not be to your liking.<\/p>\n

So how did our intrepid student researcher achieve this?<\/p>\n

The mighty power of UXSS (Universal cross-site scripting bugs)<\/h2>\n

The answer is via UXSS, something Google feels to be one of the nastier things<\/a> floating around the exploit realm. As per the document:<\/p>\n

\n

Bugs leading to UXSS attacks are among the most significant threats for users of any browser. From an attacker perspective, a UXSS exploit may be almost as valuable as a Remote Code Execution (RCE) exploit with the sandbox escape.<\/em><\/p>\n<\/blockquote>\n

If you save a website locally, you have the option of saving as webarchive files instead of HTML. As the writeup states, these files specify the web origin that the downloaded content should be rendered in. If attackers are able to modify the file somehow, they\u2019ve as good as reached UXSS nirvana.<\/p>\n

The researcher combined this with URI exploration<\/a>, eventually settling on something called \u201cShareBear\u201d.<\/p>\n

Sharing is bearing<\/h2>\n

ShareBear leaps into action whenever some remote content needs to be grabbed. This is set in motion via iCloud-sharing: and this has the ability to create a public share link. Taking this link and exchanging \u201chttps\u201d for \u201cicloud-sharing\u201d is enough to automatically open ShareBear.<\/p>\n

This is where the \u201cOpen file\u201d popup mentioned earlier comes into play.<\/p>\n

If it\u2019s the first time you\u2019ve seen the popup, then hitting \u201cOpen\u201d downloads the file and automatically opens it. The popup is gone forever; the after effects, not so much.<\/p>\n

Any website in Safari, via ShareBear, has the ability to launch this file. The creator can alter it however they wish at their end after you said \u201cyes\u201d to opening it, and it\u2019ll download and update the file on the victim\u2019s PC automatically.<\/p>\n

As the discoverer of this technique put it:<\/p>\n

\n

Agreed to view my PNG file yesterday? Well today it’s an executable binary that will be automatically launched whenever I want.<\/em><\/p>\n<\/blockquote>\n

Apple has already fixed<\/a> this issue, so you should be safe from oversharing bears and webcam indiscretions. <\/p>\n

The post Apple fixes Mac bug that could have allowed takeover of webcams and browser tabs<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Christopher Boyd| Date: Thu, 27 Jan 2022 11:43:49 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
A researcher discovered a way to gain control of both webcams and any open session in Safari. How did they do it?<\/p>\n

Categories: Exploits and vulnerabilities<\/a><\/p>\n

Tags: Apple<\/a>macOS<\/a>popup<\/a>safari<\/a>URI<\/a>url<\/a>UXSS<\/a><\/p>\n\n\n
\n

(Read more…<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n

The post Apple fixes Mac bug that could have allowed takeover of webcams and browser tabs<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[2211,22783,10403,24743,10543,24744,12015,24745],"class_list":["post-18135","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-apple","tag-exploits-and-vulnerabilities","tag-macos","tag-popup","tag-safari","tag-uri","tag-url","tag-uxss"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18135","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=18135"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18135\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=18135"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=18135"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=18135"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}