Security News > 2020 > April > Flaw hunter bags $75,000 off Apple after duping Safari into spying through iPhone, Mac cameras without permission
Independent security researcher Ryan Pickren has revealed how a malicious website could hack Apple's Safari browser on iOS and macOS to spy on the user through the computer's camera without prompting for permission.
Apple fixed the issues with Safari 13.1, crediting Pickren for three bug reports in the patch release notes.
If you have given Safari permission to access the camera in order to use the likes of Skype or Zoom, then it is Safari that controls whether or not a malicious site gets those same permissions.
Pickren set out to discover how to trick Safari into identifying his untrusted site as from the skype.com domain.
A bit of work with browser history and iFrames, and "We now have a sandboxed iframe with the blob://skype.com href and arbitrary JavaScript content. A simple window.open() popup is the final step to glory," said Pickren - glory being in this case a payout for him, and a reminder to the rest of us that giving the web browser super powers is not without risk.
News URL
https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/04/07/apple_safari_camera_hack/
Related news
- SLAP, Apple, and FLOP: Safari, Chrome at risk of data theft on iPhone, Mac, iPad Silicon (source)
- Apple Patches Actively Exploited Zero-Day Affecting iPhones, Macs, and More (source)
- Apple zero-day vulnerability exploited to target iPhone users (CVE-2025-24085) (source)
- Week in review: Apple 0-day used to target iPhones, DeepSeek’s popularity exploited by scammers (source)
- First Apple-notarized porn app available to iPhone users in Europe (source)