Safari flaw in iPhone, iPad & Mac allowed hacking & recording users via camera

Although Apple devices are sold as a safer option than their Android OS counterparts, iOS products are not safe from security flaws. Recently, a network perimeter security expert discovered that a vulnerability in the Safari browser would allow threat actors to control at will the camera of a compromised device.

Ryan Pickren, the researcher responsible for the discovery, says the problem affects Safari versions for Macs, in addition to the iPhone or iPad versions. Apparently, all the threat actors require to complete the attack is for the victim to click on a malicious link, which will grant access to the device’s camera.

Network perimeter security experts fear that by using this attack, hackers will also be able to access other resources on the affected device, such as microphones, screen sharing, and even sensitive details such as plain text passwords.

This attack involves duplicating the Safari browser so that it creates a malicious website that appears to be legitimate. When an application or service requires access to the camera, the user is usually asked to grant permission; however, some vulnerabilities in the Apple browser would allow a malicious application to access the camera without requesting permission from the target user.

In his report, Pickren mentions: “I discovered seven zero-day vulnerabilities in Safari identified as CVE-2020-3852, CVE-2020-3864, CVE-2020-3865, CVE-2020-3885, CVE-2020-3887, CVE-2020-9784 and CVE-2020-9787; I can confirm that three of these flaws have been used for this attack variant.”  

In addition, network perimeter security experts fear that legitimate applications might get the same access that allows the attack with just one click: “If users require using the browser, companies will need to ensure an optimal level of trust,” the researcher says.

Regarding site permissions, the Safari browser stores user preferences; these permissions typically include access to the microphone and camera, including the user’s contacts. Threat actors can create legitimate sites that look trustworthy, allowing them to gain access to the user’s permissions. 

The investigator reported the flaw to Apple, thanks to which he earned a reward of about $75,000. Users should remember the security measures essential to the use of their mobile browser, such as verifying SSL certificates from a website, as well as avoiding the use of mobile applications that request more permissions than necessary.

For further reports on vulnerabilities, exploits, malware variants and computer security risks, it is recommended to enter the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.