Skip to main content

How Visiting Untrusted Website Could Hack Your Device Camera.


If you use Apple iPhone or MacBook, here we have a piece of alarming news for you.

Turns out merely visiting a website — not just malicious but also legitimate sites unknowingly loading malicious ads as well — using Safari browser could have let remote attackers secretly access your device's camera, microphone, or location, and in some cases, saved passwords as well.

Apple recently paid a $75,000 bounty reward to an ethical hacker, Ryan Pickren, who practically demonstrated the hack and helped the company patch a total of seven new vulnerabilities before any real attacker could take advantage of them.

The fixes were issued in a series of updates to Safari spanning versions 13.0.5 (released January 28, 2020) and Safari 13.1 (published March 24, 2020).

"If the malicious website wanted camera access, all it had to do was masquerade as a trusted video-conferencing website such as Skype or Zoom," Pickren said.

When chained together, three of the reported Safari flaws could have allowed malicious sites to impersonate any legit site a victim trusts and access camera or microphone by abusing the permissions that were otherwise explicitly granted by the victim to the trusted domain only.

An Exploit Chain to Abuse Safari's Per-Site Permissions.


Safari browser grants access to certain permissions such as camera, microphone, location, and more on a per-website basis. This makes it easy for individual websites, say Skype, to access the camera without asking for the user's permission every time the app is launched.

But there are exceptions to this rule on iOS. While third-party apps must require user's explicit consent to access the camera, Safari can access the camera or the photo gallery without any permission prompts.

Specifically, improper access is made possible by leveraging an exploit chain that stringed together multiple flaws in the way the browser parsed URL schemes and handled the security settings on a per-website basis. This method only works with websites that are currently open.


"A more important observation was that the URL's scheme is completely ignored," Pickren noted. "This is problematic because some schemes don't contain a meaningful hostname at all, such as file:, javascript:, or data:."

Put another way, Safari failed to check if the websites adhered to the same-origin policy, thereby granting access to a different site that shouldn't have obtained permissions in the first place. As a result, a website such as "https://example.com" and its malicious counterpart "fake://example.com" could end up having the same permissions.

Thus, by taking advantage of Safari's lazy hostname parsing, it was possible to use a "file:" URI (e.g., file:///path/to/file/index.html) to fool the browser into changing the domain name using JavaScript.

"Safari thinks we are on skype.com, and I can load some evil JavaScript. Camera, Microphone, and Screen Sharing are all compromised when you open my local HTML file," Pickren said.

The research found that even plaintext passwords can be stolen this way as Safari uses the same approach to detect websites on which password auto-fill needs to be applied.

Furthermore, auto-download preventions can be bypassed by first opening a trusted site as a pop-up, and subsequently using it to download a malicious file.

Likewise, a "blob:" URI (e.g. blob://skype.com) can be exploited to run arbitrary JavaScript code, using it to directly access the victim's webcam without permission.

In all, the research uncovered seven different zero-day vulnerabilities in Safari —


  • CVE-2020-3852: A URL scheme may be incorrectly ignored when determining multimedia permission for a website
  • CVE-2020-3864: A DOM object context may not have had a unique security origin
  • CVE-2020-3865: A top-level DOM object context may have incorrectly been considered secure
  • CVE-2020-3885: A file URL may be incorrectly processed
  • CVE-2020-3887: A download's origin may be incorrectly associated
  • CVE-2020-9784: A malicious iframe may use another website's download settings
  • CVE-2020-9787: A URL scheme containing dash (-) and period (.) adjacent to each other is incorrectly ignored when determining multimedia permission for a website


If you are a Safari user, it's recommended that you keep the browser up-to-date and ensure websites are granted access to only those settings which are essential for them to function.


THN

#osutayusuf

Comments

Popular posts from this blog

We Bring You Brief Series of Sanctions Against Uganda Government Officials.

📸: Gen Abel Kandiho. On 9-December-2021, USA slapped sanctions against the then CMI Commander Gen Abel Kandiho. 📸: Gen Kale Kayihura. On 9-December-2022, UK slapped sanctions against former Police Boss Gen Kale Kayihura. 📸: Commissioner General of Prisons, Johnson Byabashaija. Again on this 4-December-2023, the same USA has slapped sanctions against Uganda Prisons Commander Johnson Byabashaija over alleged torture and human rights abuses in Prisons across Uganda. We ask, has USA and UK made December as an LCM to slap sanctions against high ranking government officials in Uganda even when the sanctions just remain on paper without deeper investigations to ascertain logical conclusions or remedy to that effect ?. #iip_updates  #Information_is_Power  #we_inform_the_uninformed

How to Host a Website for Free From Your PC or Laptop.

Why pay for a web hosting service when your old computer can do the same thing? Learn how to self-host your site. If you're planning to launch a website but don't want to pay recurring monthly or annual hosting fees, you can use any old laptop or desktop PC to host a website for free. It's a great way to utilize your old system instead of throwing it away. In this guide, we will install and set up services on our 10-year-old laptop to host a WordPress, Joomla, or custom HTML or PHP-based website with a free SSL certificate. MAKEUSEOF VIDEO OF THE DAY Things You Will Need to Host a Website Following are the pre-requisites to host a website for free from home with just your computer: An old laptop or PC running Ubuntu Server. A registered domain name for your website Ethernet cable to connect the laptop or PC to router for reliable and fast connection Step 1: Update and Upgrade the Packages After  installing Ubuntu Server on your computer , execute the following c...

WHERE IS MINISTER OF SEX SIMON LOKODO?. (He deserves a battle of soda from me! Ministe`r esalanga mabee. He is quick to run after Mrs Dr Stella Nyanzi and other Opposition elements. Government aza aza edo zuu vaa kpere bua). Anyway, below is the article! POLICE OFFICER AKOL ESTHER CHARGED OF BEING A PUBLIC NUISANCE Naughty Officer Officer who embarrassed police after leaking nude photo charged 13.03.2018 She serves in the 'Very Important Persons Protection Unit'  Akol Esther  (Courtesy) A female police officer whose nude photo surfaced on social media has been charged of being a public nuisance. Akol Esther serves in the Very Important Persons Protection Unit (VIPPU) of the police force. Kampala Metropolitan Police spokesperson Luke Owoyesigire says Akol Esther might be demoted or expelled from the police force if found guilty of circulating nude photos. Police court is yet to announce date when Akol Esther is expected to appear for a hearing. This comes at a time when Pornography Control Committee is taking tough measures against persons circulating pornography content. The committee warned and promised to arrest persons who will circulate pornographic content.

POLICE OFFICER AKOL ESTHER CHARGED OF BEING A PUBLIC NUISANCE Naughty Officer Officer who embarrassed police after leaking nude photo charged 13.03.2018 She serves in the 'Very Important Persons Protection Unit' Akol Esther  (Courtesy) A female police officer whose nude photo surfaced on social media has been charged of being a public nuisance. Akol Esther serves in the Very Important Persons Protection Unit (VIPPU) of the police force. Kampala Metropolitan Police spokesperson Luke Owoyesigire says  Akol Esther might be demoted or expelled from the police force if found guilty of circulating nude photos . Police court is yet to announce date when Akol Esther is expected to appear for a hearing. This comes at a time when Pornography Control Committee is taking tough measures against persons circulating pornography content. The committee warned and promised to arrest persons who will circulate pornographic content.