{"id":780,"date":"2020-04-04T05:43:55","date_gmt":"2020-04-04T04:43:55","guid":{"rendered":"http:\/\/zerothcode.com\/blog\/?p=780"},"modified":"2020-04-04T05:43:55","modified_gmt":"2020-04-04T04:43:55","slug":"visiting-site-can-hack-iphone","status":"publish","type":"post","link":"https:\/\/zerothcode.com\/blog\/visiting-site-can-hack-iphone\/","title":{"rendered":"How Just Visiting A Site Could Have Hack iPhone or MacBook Camera"},"content":{"rendered":"

Hack iPhone : If you use Apple iPhone or MacBook, here we have a piece of alarming news for you.<\/p>\n

Turns out merely visiting a website \u2014 not just malicious but also legitimate sites unknowingly loading malicious ads as well<\/p>\n

\u2014 using Safari browser could have let remote attackers secretly access your device’s camera, microphone, or location, and in some cases, saved passwords as well. Hack iPhone<\/p>\n

Apple recently paid a $75,000 bounty reward to an ethical hacker,\u00a0Ryan Pickren,<\/p>\n

who practically demonstrated the hack and helped the company patch a total of seven new vulnerabilities before any real attacker could take advantage of them.<\/p>\n

The fixes were issued in a series of updates to Safari spanning\u00a0versions 13.0.5\u00a0(released January 28, 2020) and\u00a0Safari 13.1 (published March 24, 2020)<\/p>\n

“If the malicious webite wanted camera access, all it had to do was masquerade as a trusted video-conferencing website such as Skype or Zoom,” Pickren said.<\/p>\n

When chained together,<\/p>\n

three of the reported Safari flaws could have allowed malicious sites to impersonate any legit site a victim trusts.<\/p>\n

and access camera or microphone by abusing the permissions that were otherwise explicitly granted by the victim to the trusted domain only.<\/p>\n

Hack iPhone : An Exploit Chain to Abuse Safari’s Per-Site Permissions<\/h2>\n

Safari browser grants access to certain permissions such as camera, microphone, location, and more on a\u00a0per-website basis.<\/p>\n

This makes it easy for individual websites, say Skype, to access the camera without asking for the user’s permission every time the app is launched.<\/p>\n

But there are exceptions to this rule on iOS. While third-party apps must require user’s explicit consent to access the camera,<\/p>\n

Safari can access the camera or the photo gallery without any permission prompts. :Hack iPhone<\/p>\n

Specifically, improper access is made possible by leveraging an exploit chain that stringed together multiple flaws in the way the browser\u00a0parsed<\/p>\n

URL schemes\u00a0and handled the security settings on a per-website basis. This method only works with websites that are currently open.<\/p>\n

\n
\"Hack<\/a>
Hack iPhone<\/figcaption><\/figure>\n<\/div>\n

\n“A more important observation was that the URL’s scheme is completely ignored,” Pickren noted. :Hack iPhone<\/h3>\n

“This is problematic because some schemes don’t contain a meaningful hostname at all, such as file:, javascript:, or data:.”<\/p>\n

Put another way, Safari failed to check if the websites adhered to the same-origin policy,<\/p>\n

thereby granting access to a different site that shouldn’t have obtained permissions in the first place.<\/p>\n

As a result, a website such as “https:\/\/example.com” and its malicious counterpart “fake:\/\/example.com” could end up having the same permissions.<\/p>\n

Thus, by taking advantage of Safari’s lazy hostname parsing, it was possible to use a “file:” URI<\/p>\n

(e.g., file:\/\/\/path\/to\/file\/index.html) to fool the browser into changing the domain name using JavaScript.<\/p>\n

“Safari thinks we are on skype.com, and I can load some evil JavaScript. Camera, Microphone, and Screen Sharing are all compromised when you open my local HTML file,” Pickren said.<\/p>\n

The research found that even plaintext passwords can be stolen this way as Safari uses the same approach to detect websites on which password auto-fill needs to be applied.<\/p>\n

Furthermore, auto-download preventions can be bypassed by first opening a trusted site as a pop-up, and subsequently using it to download a malicious file.<\/p>\n

Likewise, a “blob:” URI (e.g. blob:\/\/skype.com) can be exploited to run arbitrary JavaScript code,<\/p>\n

using it to directly access the victim’s webcam without permission.<\/p>\n

In all, the research uncovered seven different zero-day vulnerabilities in Safari \u2014 :Hack iPhone<\/p>\n