Gatekeeper defense proves no match for uXSS attack
Security flaws in Apple’s iCloud and Safari 15 could allow attackers to compromise macOS webcams and, in turn, compromise victims’ online accounts.
Independent security researcher Ryan Pickren has been awarded an eye-popping $100,500 bug bounty for the Universal Cross-Site Scripting (uXSS) vulnerability and four in all.
uXSS all fields
While camera hacking requires user interaction, the potential impact of a successful compromise is staggering.
“While this vulnerability does require the victim to click ‘open’ on my site’s popup, it results in more than just multimedia permissions hijacking,” Pickeren said in a technical writing.
He added that the exploit gives “an attacker full access to every website a victim has ever visited. This means that in addition to turning on your camera, my exploit can also compromise your iCloud, PayPal, Facebook, Gmail, etc. account.”
related Same-origin violation vulnerability in Safari 15 could reveal users’ website history and identities
The researchers demonstrated a scenario in which victims agreed to view a folder containing PNG images and a hidden web archive that injected code into icloud.com to leak their iOS camera roll.
One Paper (PDF) Published by Google Project Zero, it describes uXSS vulnerabilities that could compromise multiple online accounts because they exploit browser exploits that are “almost as valuable as sandbox-escape remote code execution (RCE) vulnerabilities.”
“Subtle but profound”
as suggestion Back in 2013, the authors of the penetration testing application Metasploit used webarchive files as a uXSS Trojan.
Safari’s HTML alternative for saving websites locally, a webarchive file specifies the web source from which the content should be rendered.
Pickren bypasses macOS Gatekeeper’s blocking of users opening webarchive files directly by opening them indirectly through the approved app Safari. The researchers found that the .url shortcut file type launches Safari and instructs the browser to open the file.
ShareBear, a backend app that shares files via iCloud, “a subtle but high-impact design flaw” meant an attacker could surreptitiously swap benign files with malicious ones after sharing and downloading the file with a victim.
Read more of the latest Apple security news
Victims will not be notified about this file exchange.
“Essentially, the victim has allowed the attacker to plant a polymorphic file on their machine and allow it to be launched remotely at any time,” Pickeren said.
The researchers designed the exploit after successfully performing a similar trick on Safari v14.1.1, but soon discovered that the beta version of Safari v15 was inadvertently impenetrable due to an unrelated code refactoring.
He also managed to steal local files by bypassing sandbox restrictions, as well as mining pop-up blocker bypasses and iframe sandbox escapes.
remediation
Pickren reported the bugs to Apple in July 2021. These bugs were recently resolved in macOS Monterey 12.0.1, which caused ShareBear to now display (rather than launch) files, and prevented WebKit from opening quarantined files in Safari 15.
The $100,000 reward dwarfs the $75,000 that Pickren disclosed in 2020 for a one-click JavaScript-to-webcam access exploit running on iPhone, iPad, and macOS.
Pickren quickly revived interest in Apple webcams and hacked iOS and macOS cameras again last year, this time through a Safari exploit chain Take advantage of Skype’s camera permissions.
you might also like PrinterLogic Vendor Addresses Triple RCE Threat Against All Connected Endpoints
