Level 65
Content Creator
Malware Hunter
A security researcher has disclosed vulnerabilities in Apple’s Safari browser that can be used to snoop on iPhones, iPads and Mac computers using their microphones and cameras. To exploit the flaws in a real-world attack, all an attacker would need to do is convince a victim to click one malicious link.

Security researcher Ryan Pickren has revealed details on seven flaws in Safari, including three that could be used in a kill chain to access victims’ webcams. The vulnerabilities were previously submitted to Apple via its bug-bounty program and have been patched – however, technical details of the flaws, including a proof of concept (PoC) attack, were kept under wraps until Pickren’s recent disclosure.

“Imagine you are on a popular website when all of a sudden an ad banner hijacks your camera and microphone to spy on you. That is exactly what this vulnerability would have allowed,” said Pickren, in an analysis of the vulnerabilities last week. ”This vulnerability allowed malicious websites to masquerade as trusted websites when viewed on the desktop version of Safari (like on Mac computers) or mobile Safari (like on iPhones or iPads).”
Apple patched the webcam vulnerabilities in a January 28 update (for Safari version 13.0.5) and the remaining four flaws were patched in March. Threatpost has reached out to Apple for further comment.