Ad banner hijack exploit earns security researcher $75,000 bug bounty
UPDATED A series of recently patched security vulnerabilities impacting Apple’s Safari web browser created a means for unauthorized websites to access the camera on iPhones, iPads, and macOS computers.
Both the iOS and macOS versions of its Safari were affected by the privacy-busting exploit chain.
Pickren reported the security bugs to Apple, which patched the vulnerabilities in a series of updates released in February and March this year.
Apple confirmed the exploit, filing the research under the ‘Zero-Click Unauthorized Access to Sensitive Data’ category of its bug bounty program, and awarding Pickren $75,000 for his discoveries.
Blink and you’ll miss it
Before they were resolved, the vulnerabilities could have allowed a specially-crafted website ad banner to hijack a user’s camera and microphone and spy on them.
“This vulnerability allowed malicious websites to masquerade as trusted websites when viewed on Desktop Safari (like on Mac computers) or Mobile Safari (like on iPhones or iPads),” Pickren explained in a blog post summarizing his vulnerability finds.
“Hackers could then use their fraudulent identity to invade users' privacy. This worked because Apple lets users permanently save their security settings on a per-website basis.
“If the malicious website wanted camera access, all it had to do was masquerade as a trusted video-conferencing website such as Skype or Zoom,” he added.
Pickren has put together a detailed technical walkthrough of his latest vulnerability discoveries.
Going on Safari
Pickren told The Daily Swig how he approached this Safari research project.
“I began the camera hunt when I realized that Safari was not using web origins to save website permission settings. URI parsing is really tough to get 100% right, so I figured it was worth looking into.”
The security researchers rates the seriousness of the flaw as higher than most that periodically affect mobile browser technology.
Pickren explained: “In my opinion, this bug is more serious than the typical bugs you might find in web or mobile apps. This bug effected the most popular mobile web browser in the US and impacted millions of users.
“The Apple product security team was a pleasure to work with and I look forward to continuing to participate in their bounty program,” he concluded.
This story was updated to add comment from Ryan Pickren.