Safari Flaws Exposed Webcams, Online Accounts, and More

Apple awarded a $100,500 bug bounty to the researcher who discovered the latest major vulnerability in its browser. 
girl on laptop
Once the hacker has staged the attack they can essentially take over Safari.Photograph: Noam Galai/Getty Images

Usually the worst thing that happens when you have dozens of browser tabs open is you can't find the one that suddenly starts blasting random ads. But a group of macOS vulnerabilities—fixed by Apple at the end of last year—could have exposed your Safari tabs and other browser settings to attack, opening the door for hackers to grab control of your online accounts, turn on your microphone, or take over your webcam.

MacOS has built-in protections to prevent this sort of attack, including Gatekeeper, which confirms the validity of the software your Mac runs. But this hack got around those safeguards by abusing iCloud and Safari features that macOS already trusts. While poking for potential weaknesses in Safari, independent security researcher Ryan Pickren started looking at iCloud's document-sharing mechanism because of the trust inherent between iCloud and macOS. When you share an iCloud document with another user, Apple uses a behind-the-scenes app called ShareBear to coordinate the transfer. Pickren found that he could manipulate ShareBear to offer victims a malicious file. 

In fact, the file itself doesn't even have to be malicious at first, making it easier to offer victims something compelling and trick them into clicking. Pickren found that because of the trusted relationship between Safari, iCloud, and ShareBear, an attacker could actually revisit what they shared with a victim later and silently swap the file for a malicious one. All of this can happen without the victim receiving a new prompt from iCloud or realizing that anything has changed. 

Once the hacker has staged the attack, they can essentially take over Safari, see what the victim sees, access the accounts the victim is logged into, and abuse permissions the victim has granted websites to access their camera and microphone. An attacker could also access other files stored locally on the victim's Mac.

“The attacker is basically punching a hole in the browser,” says Ryan Pickren, the security researcher who disclosed the vulnerabilities to Apple. “So if you’re signed in to Twitter.com on one tab, I could jump into that and do everything you can from Twitter.com. But that’s nothing to do with Twitter’s servers or security; I as the attacker am just assuming the role that you already have in your browser.”

In October, Apple patched the vulnerability in Safari's WebKit engine and made revisions in iCloud. And in December it patched a related vulnerability in its Script Editor code automation and editing tool.

“This is an impressive exploit chain,” says Patrick Wardle, a longtime researcher and founder of the macOS security nonprofit Objective-See. “It's clever that it exploits design flaws and creatively uses built-in macOS capabilities to circumvent defense mechanisms and compromise the system.”

Pickren previously discovered a series of Safari bugs that could have enabled webcam takeovers. He disclosed the new findings through Apple's bug bounty program in mid-July, and the company awarded him $100,500. The amount is not unprecedented for Apple's disclosure program, but its size reflects the severity of the flaws. In 2020, for example, the company paid out $100,000 for a crucial flaw in its Sign In With Apple single sign-on system.

Safari and Webkit, though, have a particular set of security challenges because they are such massive platforms. And Apple has had a difficult time getting a handle on the problem, even when vulnerabilities are public for weeks or months. 

“As systems become more complex, they introduce more bugs, and that’s especially true for web browsers these days,” Pickren says. “Safari can do so many things, it’s really no surprise that there are going to be more bugs as more features come out.”

Such bugs may be common, but that doesn't make them any less serious. Attackers regularly take advantage of browser vulnerabilities for both criminal and nation-state hacking. For example, they are commonly exploited in watering hole attacks that target visitors of tainted websites. And hackers actively use unpatched “zero-day” browser vulnerabilities they've discovered or purchased, along with older bugs that they can exploit opportunistically when targets haven't updated their browsers. 

“A bug like this really stresses how crucial it is to keep your browser up to date,” Pickren says. “It's an easy thing to push off, but it's ultra-important.”

It's solid advice, regardless of your browser of choice.


More Great WIRED Stories