Web application security experts reported the presence of a vulnerability in the Apple Watch that, if exploited, allowed threat actors to spy on users of iPhone devices. The vulnerability was exploitable through Walkie-Talkie, an app installed on Apple Watch; due to this flaw, people could listen to calls on other users’ iPhone.
The Walkie-Talkie app allows two users to send and receive short audio messages; you need to accept an invitation before receiving the messages. Apple recently disclosed that a user reported a vulnerability that allowed other users to listen through other people’s iPhone without their consent or knowledge; “We have disabled this app, we regret the inconvenience this may have caused,” the company said, adding that “very specific conditions and a chain of events” would be needed to exploit the flaw.
Web application security experts had reported to the company a similar flaw in the Apple FaceTime video calling app earlier this year. In some of the known cases, it was even claimed that users could activate the microphone of the device receiving the FaceTime call, regardless of whether the user accepted the call or not. The company fixed this bug with an update patch shortly after receiving the bug report.
Recently a new vulnerability was also reported in Zoom video conferencing software that, if exploited, allowed threat actors to arbitrarily redirect victims to Zoom sessions, as well as gain access to webcams without consent of the victim.
Jonathan Leitschuh, the person in charge of finding and reporting this flaw, mentioned that the vulnerability allowed hackers to initiate video calls and access the target’s webcam by simply clicking on a link that could be embedded in any advertisement or website.
Although the company initially did not give too much importance to the report of the flaw, web application security experts from the International Institute of Cyber Security (IICS) report that Zoom finally decided to patch the security flaw; “We appreciate the expert’s report, as well as the time he spent helping us improve the security of our service,” a Zoom statement says.