Security News > 2020 > April > Flaw hunter bags $75,000 off Apple after duping Safari into spying through iPhone, Mac cameras without permission

Independent security researcher Ryan Pickren has revealed how a malicious website could hack Apple's Safari browser on iOS and macOS to spy on the user through the computer's camera without prompting for permission.

Apple fixed the issues with Safari 13.1, crediting Pickren for three bug reports in the patch release notes.

If you have given Safari permission to access the camera in order to use the likes of Skype or Zoom, then it is Safari that controls whether or not a malicious site gets those same permissions.

Pickren set out to discover how to trick Safari into identifying his untrusted site as from the skype.com domain.

A bit of work with browser history and iFrames, and "We now have a sandboxed iframe with the blob://skype.com href and arbitrary JavaScript content. A simple window.open() popup is the final step to glory," said Pickren - glory being in this case a payout for him, and a reminder to the rest of us that giving the web browser super powers is not without risk.

News URL

https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/04/07/apple_safari_camera_hack/