When you think about browsers that have household names, the last thing you think of are vulnerabilities to your security. As recent as the end of last year, Apple had to fix some macOS vulnerabilities that could have exposed your Safari tabs and browser settings to attack, allowing hackers to take control of your microphone, webcam, and online accounts.
Ryan Pickren, an independent security researcher and founder of the site, BugPoc, which was created to host proof-of-concept demos of security issues, poked around for potential weaknesses in Safari and found one that was in an unlikely place, iCloud. macOS, which is the operating system for Apple Mac computers, already comes with built-in protections such as “Gatekeeper” which validates the software that your Mac runs. Pickren was able to go around Gatekeeper using iCloud’s document-sharing mechanism that embodies the trust factor between MacOs and iCloud. It was the mechanism called ShareBear, which is a behind-the-scenes app that Apple uses to coordinate transfers. Pickren manipulated ShareBear to distribute malicious files to would-be victims.
With this find, Ryan Pickren was awarded $100,500 from Apple’s bug bounty program that rewards researchers who discover the latest vulnerabilities in their browser. How did he do it? At first, the attack was staged by offering the victim a non-malicious file that is perhaps fascinating to the victim which will trick them into clicking it. Due to the trusted relationship between ShareBear, iCloud, and Safari, a hacker could revisit the file that they shared with the victim, and at a later time, switch out the file for a malicious one. This can be done undetected with no prompt or notification alarming the victim of anything being changed on their computer.
Once the attack has been completed with the planting of the malicious file onto the victim’s system, the hacker can take over and operate Safari as though they are the intended user, view everything the victim/intended user sees, gain access to the accounts they’ve logged into, exploit permissions from websites that the victim allowed to access their camera and microphone, and essentially access any locally stored file that is on the victim’s Mac.
In his own words, Pickren explained the end result of how the attack can have “full access to every website you’ve visited in Safari, meaning that if you’re visiting my evil website on one tab, and then your other tab, you have Twitter open, I can jump into that tab and do everything you can from that screen. So it does allow me to fully perform an account takeover on every website you visited in Safari.” (As told to The Resgister.) Pickren has also described this attack method “as basically punching a hole in the browser.”
Since the discovery, Apple has remedied the bugs in two parts. Apple released a macOS Monterey 12.0.1 update with an upgraded version of ShareBear that just reveals downloaded files instead of launching them. The second part that they’ve addressed is in Safari’s engine WebKit to where it stops quarantined files, like downloaded web archives, from being downloaded.
The massive sophistication of browsers such as Safari makes having bugs common. (Keep in mind that Safari is also the browser iPhones use as well.) Attackers regularly infiltrate browsers with clever tactics taking full advantage of their vulnerabilities. Attacks may be at the criminal level or the nation-state level. As long as people are using browsers, there will always be a threat of an attack. This is why it is so important to always keep your browsers updated.
