A cybersecurity researcher has uncovered a dangerous flaw in Apple’s macOS, which enabled attackers to access the victims’ logged-in online accounts and even get into their webcams (opens in new tab).
The flaw, which Ryan Pickren reported to the Cupertino giants last summer, was patched earlier this month, while Pickren got to go home with a $100,000 bounty.
The bug, a universal cross-site scripting (UXSS) flaw, resided in the OS’ browser (opens in new tab), Safari.
Full access
Explaining the end result to The Register (opens in new tab), Picker said it grants the attacker "full access to every website you've visited in Safari, meaning that if you're visiting my evil website on one tab, and then your other tab, you have Twitter open, I can jump into that tab and do everything you can from that screen. So it does allow me to fully perform an account takeover on every website you visited in Safari."
Here’s how it works (as short of an explanation as it can be): Safari has a number of custom URI schemes, such as mailto:, s3:, and so on. One of them is called icloud-sharing:, and triggering it opens up ShareBear, an internal macOS app designed for document sharing via iCloud. A website, for example, can trigger it, and have Safari load content hosted elsewhere.
Running malicious webarchives
This wouldn’t be a problem, were it not for a simple fact that the downloaded files could later be altered by the author. So, a victim could download an innocent .PNG file, only to have it transform into a malicious (opens in new tab)webarchive file.
“In essence, the victim has given the attacker permission to plant a polymorphic file onto their machine and the permission to remotely launch it at any moment. Yikes. Agreed to view my PNG file yesterday? Well today it's an executable binary that will be automatically launched whenever I want,” Picker explained in a further blog post (opens in new tab).
> Apple patches Safari bug that leaked user data (opens in new tab)
> Safari 15 may have a serious security flaw, and there's no patch in sight (opens in new tab)
> The rise of data privacy concerns (opens in new tab)
To open the webarchive file, Pickren further explains, he needed to bypass the Gatekeeper restriction, which turned out to be relatively simple. He did it via a custom webpage, which can launch a JavaScript in an arbitrary origin (think facebook.com). That allowed him, among other things, to turn on the camera.
To fix the problem, Apple did two things: First - it made ShareBear just reveal downloaded files, rather than launch them, in macOS Monterey 12.0.1. Second - it patched Safari’s engine WebKit to stop downloaded webarchives from being opened.
- You might also want to check out our list of the best firewalls (opens in new tab) right now