A security researcher has disclosed vulnerabilities in Apple’s Safari browser that can be used to snoop on iPhones, iPads and Mac computers using their microphones and cameras. To exploit the flaws in a real-world attack, all an attacker would need to do is convince a victim to click one malicious link.
Security researcher Ryan Pickren has revealed details on seven flaws in Safari, including three that could be used in a kill chain to access victims’ webcams. The vulnerabilities were previously submitted to Apple via its bug-bounty program and have been patched – however, technical details of the flaws, including a proof of concept (PoC) attack, were kept under wraps until Pickren’s recent disclosure.
“Imagine you are on a popular website when all of a sudden an ad banner hijacks your camera and microphone to spy on you. That is exactly what this vulnerability would have allowed,” said Pickren, in an analysis of the vulnerabilities last week. ”This vulnerability allowed malicious websites to masquerade as trusted websites when viewed on the desktop version of Safari (like on Mac computers) or mobile Safari (like on iPhones or iPads).”