Pickren submitted seven vulnerabilities to Apple's bug bounty program in mid-December and says he got a response that the company had validated the bugs the next day. Instead, the attack surmounts all of these barriers just by generating a convincing disguise. None of the flaws are in Apple's microphone and webcam protections themselves, or even in Safari's defenses that keep malicious sites from accessing the sensors. And the attack would work on iPhones, iPads, and Macs alike. And then the malicious site will have all the permissions that you previously granted to Skype, which means an attacker could just start taking pictures of you or turn on your microphone or even screen-share."Ī hacker who tricked a victim into clicking their malicious link would be able to quietly launch the target's webcam and microphone to capture video, take photos, or record audio. "So what an attacker could do with this kill chain is make a malicious website that from Safari’s perspective could then turn into 'Skype'. "Safari encourages users to save their preferences for site permissions, like whether to trust Skype with microphone and camera access," says Ryan Pickren, the security researcher who disclosed the vulnerabilities to Apple. But before the fixes, all a victim would have needed to do is click one malicious link and an attacker would have been able to spy on them remotely. This week, a security researcher publicly shared new findings about vulnerabilities that would have allowed an attacker to exploit three Safari bugs in succession and take over a target's webcam and microphone on iOS and macOS devices.Īpple patched the vulnerabilities in January and March updates.
Apple has a well-earned reputation for security, but in recent years its Safari browser has had its share of missteps.
0 kommentar(er)
