A cybersecurity student recently showed Apple how hacking the webcam of a Mac can make the devices fully vulnerable to further attacks.
Earlier, Ryan Pickren has also discovered an iPhone and Mac camera vulnerability. The newly discovered webcam vulnerability concerned a series of issues with both Safari and iCloud.
This flaw could have helped malicious websites launch attacks. Luckily, the security flaw has now been patched by Apple. In a recent blog post, Ryan Pickren stated that
“The bug gives the attacker full access to every website ever visited by the victim. That means in addition to turning on your camera, my bug can also hack your iCloud, PayPal, Facebook, Gmail, etc. accounts too.”
The bug would also enable permission to use the microphone, camera, and screen-sharing. However, it’s worth noting that a green light indicates the camera usage on Apple devices and it won’t go unnoticed.
Ryan Pickren even showcased that the bug can give full access to a device’s entire filesystem to the attacker. To do so the attacker can exploit Safari’s “webarchive” files. He stated that
“A startling feature of these files is that they specify the web origin that the content should be rendered in,” Pickren wrote. “This is an awesome trick to let Safari rebuild the context of the saved website, but as the Metasploit authors pointed out back in 2013 if an attacker can somehow modify this file, they could effectively achieve UXSS [universal cross-site scripting] by design.”
As of now, Apple hasn’t shared a statement on the bug. However, Ryan Pickren has been awarded $100,500 from its bug bounty program.
It’s worth noting that the maximum reward offered by the bug bounty program is $1 Million. Do share your thoughts and opinions on this Webcam hack in the comments section below.
