Security vulnerabilities in Apple iCloud and Safari 15 could have enabled attackers to compromise macOS webcams and can victimise online users
A reward of $100,500 bug bounty for the universal cross-site scripting (uXSS) exploit and a total of four flaws netted to a researcher
The potential impact of a successful compromise was egregious since the camera hack requires a user interaction to hijack. This gives the attacker full access to every website ever visited by the victim. That means in addition to turning on the camera, this bug can also hack your iCloud, PayPal, Facebook, Gmail, etc. accounts
Researcher used the webarchive files as the trojan horse for uXSS. Safari’s alternative to HTML for saving websites locally, webarchive files specify the web origin in which the content should be rendered.
Researcher circumvented macOS Gatekeeper’s block on users opening webarchive files directly by opening the files indirectly via an approved app, Safari. The .url shortcut filetype would launch Safari and instruct the browser to open the file.
A subtle design flaw in ShareBear, a backend application for sharing files via iCloud, meant an attacker could surreptitiously swap a benign file with a malicious file after it had been shared with and downloaded by a victim. The victim would receive no notification of this file swap.
The researcher fashioned the exploit after successfully performing a similar trick on Safari v14.1.1, but it soon transpired that beta Safari v15 was inadvertently impervious due to an unrelated code refactor. He also evaded all sandbox restrictions, a popup-blocker bypass and iframe sandbox escape.
These bugs were reported to Apple in July 2021. They were addressed recently in macOS Monterey 12.0.1 that has resulted in ShareBear now revealing rather than launching files, and by preventing WebKit from opening quarantined files in Safari 15.