- Advertisement -
Wednesday, January 27, 2021
- Advertisement -

Apple’s Safari bugs let attackers hijack cameras on iPhones and Macs

Security researcher Ryan Pickren has shared findings of vulnerabilities that would've allowed attackers to exploit three Safari bugs in succession and take over webcam and microphone on iOS and macOS devices.

Apple paid out $75,000 to a hacker for identifying multiple zero-day vulnerabilities in its software, some of which could be used to hijack the camera on a MacBook or an iPhone, according to the news agency.

A zero-day vulnerability refers to a security hole in software that is unknown to the software developer and the public, although it may already be known by attackers who are quietly exploiting it.

Security researcher Ryan Pickren reportedly discovered the vulnerabilities in Safari after he decided to “hammer the browser with obscure corner cases” until it started showing weird behavior.

The bug hunter found seven exploits in all. The vulnerabilities involved the way that Safari parsed Uniform Resource Identifiers, managed web origins and initialized secure contexts, and three of them allowed him to get access to the camera by tricking the user to visit a malicious website.

“A bug like this shows why users should never feel totally confident that their camera is secure,” Pickren said, “regardless of operating system or manufacturer.”

Pickren reported his research through Apple’s Bug Bounty Program in December 2019. Apple validated all seven bugs immediately and shipped a fix for the camera kill chain a few weeks later. The camera exploit was patched with in Safari 13.0.5, released January 28. The remaining zero-day vulnerabilities, which Apple judged to be less severe, were patched in Safari 13.1, released on March 24.

Apple opened its bug bounty program to all security researchers in December 2019. Prior to that, Apple’s bug bounty program was invitation-based and non-iOS devices were not included. Apple also increased the maximum size of the bounty from $200,000 per exploit to $1 million depending on the nature of the security flaw.

When submitting reports, researchers must include a detailed description of the issue, an explanation of the state of the system when the exploit works, and enough information for Apple to reliably reproduce the issue.

This year, Apple plans to provide vetted and trusted security researchers and hackers with “dev” iPhones, or special iPhones that provide deeper access to the underlying software and operating system that will make it easier for vulnerabilities to be discovered.

These iPhones are being provided as part of Apple’s forthcoming iOS Security Research Device Program, which aims to encourage additional security researchers to disclose vulnerabilities, ultimately leading to more secure devices for consumers.

For latest entertainment news, bollywood news, hollywood news, celebrity gossips, latest movie reviews, entertainment news and gossips in hindi - follow Lehren on Facebook, Twitter and Youtube.

00:03:21

After Riots On 26 Jan, Kangana Ranaut Attacks Priyanka Chopra And Diljit Dosanjh

Kangana Ranaut has launched a fresh attack on Priyanka Chopra and Diljit Dosanjh who supported farmers’ protest. A few weeks ago, Kangana and Diljit...
00:01:23

Diljit Dosanjh Goes On Silent Mode As Farmers’ Protest Turns Violent On Jan...

Actor and singer Diljit Dosanjh has been openly supporting the farmers’ protest against the farm bills. He not only supported the farmers on social...
00:01:06

Aashay Mishra: Shooting For The Sequence Where Sarang Learns He’s The Donor Was...

Sony Entertainment Television’s popular show Story 9 Months Ki has been successfully keeping the viewers entertained and glued to the screen with its interesting...
- Advertisement -