If you use an Apple iPhone or MacBook, we will provide you with some disturbing news.
It turns out that using the Safari browser to access websites (not only malicious websites, but also legitimate websites that do not suspect that malicious ads can be downloaded) may allow remote attackers to secretly access the camera, microphone, or device location, and in some cases save passwords .
Apple recently paid a reward of $ 75,000 to ethical hacker Ryan Pickren. He actually proved the hacking behavior and helped the company fix seven new vulnerabilities, and then no attacker could use them.
The fix was released in a series of updates to Safari, covering version 13.0.5 (released on January 28, 2020) and Safari 13.1 (released on March 24, 2020).
"If the malicious website wanted camera access, all it had to do was masquerade as a trusted video-conferencing website such as Skype or Zoom," Pickren said.
When chained together, three of the reported Safari flaws could have allowed malicious sites to impersonate any legit site a victim trusts and access camera or microphone by abusing the permissions that were otherwise explicitly granted by the victim to the trusted domain only.
A vulnerability exploit chain that misuses Safari permissions for sites
The Safari browser provides access to specific permissions for each website, such as the camera, microphone, location, etc. Skype says this allows different websites to access the camera without having to ask for user permission every time the application starts.
But on iOS, there are exceptions to this rule. Although third-party applications must obtain the explicit consent of the user to access the camera, Safari can access the camera or album without permission.
In particular, using a chain to combine multiple flaws in how browsers analyze URL patterns and process security settings for each website can lead to incorrect access. This method only applies to the site that is currently open.
Pikren said: "The most important conclusion is that URL schemes are completely ignored." "This is problematic because some schemes do not contain any significant hostnames, such as file:, javascript: or data:"
In other words, Safari cannot verify that the website complies with policies of the same origin, thus giving access to other websites that should not be given permission. As a result, "https://example.com" websites and their malicious copies of "fake: //example.com" may terminate with the same permissions.
Therefore, using lazy host resolution in Safari, you can use the "file" URI (for example, file: //path/to/file/index.html) to trick the browser into changing the JavaScript domain name as follows.
Picron said: "Safari thinks we're on skype.com and can download some kind of bad JavaScript. When you open a local HTML file, everything about the camera, microphone and general screen is compromised. "
Research has shown that even simple text passwords can be stolen this way, because Safari uses the same method to detect websites that require automatic password entry.
In addition, you can avoid precautions when downloading automatically, first opening a trusted site as a pop-up window and then using it to download malicious files.
Similarly, you can use blob: URI (for example, blob: //skype.com) to run arbitrary JavaScript code and use it to access the victim's webcam directly without permission.
-Sumit Tiwari
No comments:
Post a Comment