Gatekeeper defenses prove no match for uXSS attack

Apple pays out $100k bounty for Safari webcam hack that imperiled victims' online accounts

Security vulnerabilities in Apple iCloud and Safari 15 could have enabled attackers to compromise macOS webcams and, thereafter, victims’ online accounts.

Ryan Pickren, an independent security researcher, netted an eye-watering $100,500 bug bounty for the universal cross-site scripting (uXSS) exploit and a total of four flaws.

uXSS all areas

While the camera hack required user interaction, the potential impact of a successful compromise was egregious.

“While this bug does require the victim to click ‘open’ on a popup from my website, it results in more than just multimedia permission hijacking,” said Pickren in a technical write-up.

The exploit, he added, gives “the attacker full access to every website ever visited by the victim. That means in addition to turning on your camera, my bug can also hack your iCloud, PayPal, Facebook, Gmail, etc. accounts too.”


RELATED Same-origin violation vulnerability in Safari 15 could leak a user’s website history and identity


The researcher demonstrated a scenario in which a victim agrees to view a folder containing PNG images and a hidden webarchive file that injects code into icloud.com that exfiltrates their iOS camera roll.

A paper (PDF) published by Google Project Zero has described uXSS bugs, which can imperil multiple online accounts because they exploit browser vulnerabilities, as “almost as valuable as a remote code execution (RCE) exploit with the sandbox escape”.

‘Subtle, but wildly impactful’

As suggested by the authors of penetration testing application Metasploit back in 2013, Pickren used webarchive files as the trojan horse for uXSS.

Safari’s alternative to HTML for saving websites locally, webarchive files specify the web origin in which the content should be rendered.

Pickren circumvented macOS Gatekeeper’s block on users opening webarchive files directly by opening the files indirectly via an approved app, Safari. The researcher discovered that the .url shortcut filetype would launch Safari and instruct the browser to open the file.

“A subtle, but wildly impactful, design flaw” in ShareBear, a backend application for sharing files via iCloud, meant an attacker could surreptitiously swap a benign file with a malicious file after it had been shared with and downloaded by a victim.


Read more of the latest Apple security news


The victim would receive no notification of this file swap.

“In essence, the victim has given the attacker permission to plant a polymorphic file onto their machine and the permission to remotely launch it at any moment,” said Pickren.

The researcher fashioned the exploit after successfully performing a similar trick on Safari v14.1.1, but it soon transpired that beta Safari v15 was inadvertently impervious due to an unrelated code refactor.

He also managed to steal local files by circumventing sandbox restrictions, as well as unearthing a popup-blocker bypass and iframe sandbox escape.

Remediation

Pickren reported the bugs to Apple in July 2021. They were addressed recently in macOS Monterey 12.0.1 that has resulted in ShareBear now revealing (rather than launching) files, and by preventing WebKit from opening quarantined files in Safari 15.

The $100,000 reward dwarfs the $75,000 payout Pickren revealed in 2020 for a one-click JavaScript-to-webcam access exploit that worked on iPhones, iPads, and macOS.

Pickren soon renewed his interest in Apple webcams and once again compromised iOS and macOS cameras last year, this time via a Safari bug chain that leveraged Skype’s camera permission.


YOU MIGHT ALSO LIKE PrinterLogic vendor addresses triple RCE threat against all connected endpoints