The vulnerability could let a hacker quietly activate the camera and microphone of iPhones, iPads and MacBooks to click images, shoot videos and record audio. (REUTERS)
Apple, until last month was said to have a Safari browser vulnerability in its iPhones, iPads and MacBook devices that allowed hackers to access the microphone and webcam. As reported by Wired, the hacker could’ve used three Safari bugs in succession to gain access in iOS and macOS devices. Although the company patched this vulnerability in January and March updates, before it, all users needed to do was to click on a malicious link once to allow hackers to snoop in remotely.
This means that the hacker can quietly activate the camera and microphone to click images, shoot videos and record audio.
“Safari encourages users to save their preferences for site permissions, like whether to trust Skype with microphone and camera access,” said Ryan Pickren. Pickren is a security researcher who found out the vulnerability and informed it to Apple.
“So what an attacker could do with this kill chain is make a malicious website that from Safari’s perspective could then turn into ‘Skype’. And then the malicious site will have all the permissions that you previously granted to Skype, which means an attacker could just start taking pictures of you or turn on your microphone or even screen-share,” added Pickren who alerted Apple about the bugs in December last year.
It has been mentioned that when you give a certain permission to websites in Safari browser, the browser applies it to all the variations of that particular website for instance https://www.example.com, http://example.com, and fake://example.com. Hackers could create special URLs using the vulnerability that would trick Safari in a similar way.
The hacker states that some bugs were years old. “Part of this is that some of the bugs were really, really old flaws in the WebKit core from years ago. They probably were not as dangerous as they are now just because the stars lined up on how an attacker would use them today,” said Pickren.
On a related note, Apple’s recently launched iPad models also come with T2 security chip that disconnects the microphone on a hardware level when the device is closed while using with a MFi compliant cover case. The ‘hardware disconnect’ feature in already there in MacBooks and doesn’t disconnect the webcam as the field of view is anyway obstructed when the lid is closed.