Apple last year addressed multiple macOS vulnerabilities discovered by the security researcher Ryan Pickren in the Safari browser that could allow threat actors to access users’ online accounts, microphone, and webcam.
Pickren received a total of $100,500 payouts for these issues as part of Apple’s bug bounty program.
The security researcher chained the vulnerabilities in iCloud Sharing and Safari 15 to gain unauthorized camera access. An attacker can trick victims into clicking “open” on a popup from my website in order to hijack multimedia permissions and gain full access to every website ever visited by the victim.
The expert pointed out that an attacker could exploit this attack chain to turn the user’s camera, and also to hack their iCloud, PayPal, Facebook, Gmail, and other accounts.
“My hack successfully gained unauthorized camera access by exploiting a series of issues with iCloud Sharing and Safari 15. While this bug does require the victim to click “open” on a popup from my website, it results in more than just multimedia permission hijacking. This time, the bug gives the attacker full access to every website ever visited by the victim. That means in addition to turning on your camera, my bug can also hack your iCloud, PayPal, Facebook, Gmail, etc. accounts too.” reads the post published by the expert. “This research resulted in 4 0day bugs (
The bugs reside in the iCloud file-sharing mechanism named ShareBear. The iCloud Sharing Application ShareBear prompts users only upon attempting to open a shared document for the first time. Successive actions will no more display the prompt again once the users have accepted to open the file. Pickren successfully exploited this behavior by altering the file’s content and file extension after user agree to open it.
The CVE-2021-30861 is a logic issue in WebKit that could allow a malicious application to bypass Gatekeeper checks. The flaw was reported by Wojciech Reguła (@_r3ggi) and Ryan Pickren (ryanpickren.com). The second bug, tracked as CVE-2021-30975, resides in the Script Editor and could allow a malicious OSAX scripting addition to bypass Gatekeeper checks and circumvent sandbox restrictions.
“Once the user clicks Open, the file is downloaded onto the victim’s machine at the location /Users/<user>/Library/Mobile Documents/com~apple~CloudDocs then automatically opened via Launch Services. Then the user will never see this prompt again. From that point forward, ShareBear (and thus any website in Safari) will have the ability to automatically launch this file.” continues the post.”The truly problematic part of this agreement is that the file can be changed by anybody with write access to it. For example, the owner of the file could change the entire byte content and file extension after you agree to open it. ShareBear will then download and update the file on the victim’s machine without any user interaction or notification.”
A bug bounty hunting journey
