Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Flaw hunter bags $75, 000 off Apple after duping Safari into spying through iPhone, Mac cameras without permission

From: InfoSec News <alerts () infosecnews org>
Date: Wed, 8 Apr 2020 12:16:22 +0000 (UTC)
https://www.theregister.co.uk/2020/04/07/apple_safari_camera_hack/

By Tim Anderson
The Register
7 Apr 2020

Independent security researcher Ryan Pickren has revealed how a malicious
website could hack Apple's Safari browser on iOS and macOS to spy on the user
through the computer's camera without prompting for permission.

Pickren said Apple classified the bug as "one-click remote partial access to
sensitive data," and awarded him $75,000 under the terms of its Security Bounty
scheme.

Apple fixed the issues with Safari 13.1, crediting Pickren for three bug reports
in the patch release notes. The three flaws mentioned by Apple are "a malicious
iframe may use another website’s download settings"; "a download's origin may be
incorrectly associated"; and "a file URL may be incorrectly processed". The fix
is dated March 24, 2020 and the vulnerable version of Safari is 13.0.4, so if
you still have that one, update it now.

Pickren is the founder of the site BugPoC, designed for hosting proof-of-concept
demos of security issues.

[...]

--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_
Previous By Date Next
Previous By Thread Next

Current thread: