Security researcher Ryan Pickren recently discovered and reported to Apple a set of macOS vulnerabilities that exposed Safari browser.
4 New Zero-Days Reported to Apple
The researcher’s hack “successfully gained unauthorized camera access by exploiting a series of issues with iCloud Sharing and Safari 15.” As a result of the research, 4 zero-day flaws came out – CVE-2021-30861, CVE-2021-30975, and two without CVEs. Pickren reported the vulnerability chain to Apple and was awarded $100,500 as a bounty.
While the bug related to macOS cameras does require the victim to click “open” on a popup from a website, it results in more than just multimedia permission hijacking, the researcher explained.
“This time, the bug gives the attacker full access to every website ever visited by the victim. That means in addition to turning on your camera, my bug can also hack your iCloud, PayPal, Facebook, Gmail, etc. accounts too,” Pickren added. In a nutshell, exploiting the chain of issues could enable an attacker to hijacker the multimedia permission and gain full access to every website the victim has visited in Safari, including Gmail, iCloud, Facebook, and PayPal.
The vulnerabilities stem from a feature called ShareBear, which is an iCloud file-sharing mechanism prompting users when opening a shared document for the first time. Shortly said, the researcher took advantage of the fact that the prompt is only shown once to the user once they access to open the file, the researcher discovered the possibility to alter the file’s content in various ways.
“ShareBear will then download and update the file on the victim’s machine without any user interaction or notification. In essence, the victim has given the attacker permission to plant a polymorphic file onto their machine and the permission to remotely launch it at any moment,” he said.
Full technical disclosure is available in the original report.
Last week, Apple released new versions of its operating systems – iOS 15.3 and macOS Monterey 12.2, which contained a number of fixes, including two zero-days.