Ad banner hijack exploit earns security researcher $75,000 bug bounty

UPDATED A series of recently patched security vulnerabilities impacting Apple’s Safari web browser created a means for unauthorized websites to access the camera on iPhones, iPads, and macOS computers.

Security researcher Ryan Pickren earned a $75,000 bug bounty from Apple for uncovering the seven Safari bugs, including a set of three flaws that, when combined, allowed the creation of a one-click malicious JavaScript-to-webcam access exploit.

Both the iOS and macOS versions of its Safari were affected by the privacy-busting exploit chain.

Pickren reported the security bugs to Apple, which patched the vulnerabilities in a series of updates released in February and March this year.

Apple confirmed the exploit, filing the research under the ‘Zero-Click Unauthorized Access to Sensitive Data’ category of its bug bounty program, and awarding Pickren $75,000 for his discoveries.

Blink and you’ll miss it

Before they were resolved, the vulnerabilities could have allowed a specially-crafted website ad banner to hijack a user’s camera and microphone and spy on them.

This was possible because Apple’s browser technology mistakenly allowed unauthorized websites to pose as a trusted video conferencing website such as Skype or Zoom.

Flaws in how Safari was parsing URIs, managing web origins, and initializing secure contexts meant that any JavaScript code with the ability to create a popup (such as a standalone website, embedded ad banner, or even browser extension) could directly access Safari user’s webcam without asking for permission.

“This vulnerability allowed malicious websites to masquerade as trusted websites when viewed on Desktop Safari (like on Mac computers) or Mobile Safari (like on iPhones or iPads),” Pickren explained in a blog post summarizing his vulnerability finds.

“Hackers could then use their fraudulent identity to invade users' privacy. This worked because Apple lets users permanently save their security settings on a per-website basis.

“If the malicious website wanted camera access, all it had to do was masquerade as a trusted video-conferencing website such as Skype or Zoom,” he added.

Pickren has put together a detailed technical walkthrough of his latest vulnerability discoveries.

Going on Safari

Pickren told The Daily Swig how he approached this Safari research project.

“I began the camera hunt when I realized that Safari was not using web origins to save website permission settings. URI parsing is really tough to get 100% right, so I figured it was worth looking into.”

The security researchers rates the seriousness of the flaw as higher than most that periodically affect mobile browser technology.

Pickren explained: “In my opinion, this bug is more serious than the typical bugs you might find in web or mobile apps. This bug effected the most popular mobile web browser in the US and impacted millions of users.

“The Apple product security team was a pleasure to work with and I look forward to continuing to participate in their bounty program,” he concluded.

This story was updated to add comment from Ryan Pickren.

RELATED Out on Safari: Apple touts third-party cookie blocking in WebKit browser engine