Keep your webcam covered when it’s not in use! This practice is the best practice when you have a device with a webcam. Certainly!
Apple has a well-earned reputation for security, but in recent years its Safari browser has had its share of missteps. A security researcher publicly shared new findings about vulnerabilities that would have allowed an attacker to exploit three Safari bugs in succession and take over a target’s webcam and microphone on iOS and macOS devices. Needless to say,
Keep Your Webcam Covered!
Apple patched the vulnerabilities in January and March updates. But before the fixes, all a victim would have needed to do is click one malicious link and an attacker would have been able to spy on them remotely.
“Fortunately for me, as a contingency, I always keep a sticker glued over my webcam at all times. And, I do the same thing with my smart phone as well.”
Like most browsers, “Safari encourages users to save their preferences for site permissions, that can be a big problem. Saving your preferences like whether to trust Skype with microphone and camera access, can cause you to be hacked!” Ryan Pickren, is the security researcher who disclosed the vulnerabilities to Apple. “So what an attacker could do with this kill chain is make a malicious website that from Safari’s perspective could then turn into ‘Skype’. And then the malicious site will have all the permissions that you previously granted to Skype, which means an attacker could just start taking pictures of you or turn on your microphone or even screen-share.” Hence…
While it’s convenient to save your user permission in your browser, please reconsider going forward. Thus, think about the short cut that draws blood, sometimes the convenient thing is not the safest thing.
In other words, when users save their preferences for site permissions in their browser, it could expose them to risks. So going forward, consider giving your permissions only as ‘one time only. Meaning, do not save your permissions preferences in your browser! And although you will have to give the permission each time you use a particular application… It is better to be safe than sorry!
The bugs Pickren found all stem from seemingly minor oversights. For example, he discovered that Safari’s list of the permissions a user has granted to websites treated all sorts of URL variations as being part of the same site. URL’s such as https://www.example.com, http://example.com, and fake://example.com. By “wiggling around,” as Pickren puts it, he was able to generate specially crafted URLs that could work with scripts embedded in a malicious site to launch the bait-and-switch that would trick Safari.
Avoid saving your permissions in a browser window.
“I just kind of hammered the browser with really weird cases until Safari got confused and gave an origin that didn’t make sense,” he says. “And eventually the bugs could all kind of bounce from one to the next. Part of this is that some of the bugs were really, really old flaws in the WebKit core from years ago. They probably were not as dangerous as they are now just because the stars lined up on how an attacker would use them today.”
Courtesy of Ryan Pickren
A hacker who tricked a victim into clicking their malicious link would be enabled. As such, could quietly launch the target’s webcam and microphone to capture video, take photos, or record audio. And the attack would work on iPhones, iPads, and Macs alike. None of the flaws are in Apple’s microphone and webcam protections themselves. In fact, the flaws are not even in Safari’s defenses that keep malicious sites from accessing the sensors. Instead, the attack surmounts all of these barriers just by generating a convincing disguise. And finally, if you spend time on the internet do yourself a favor and USE A VPN! and keep your webcam covered.
Response Magic
