Crisis was indeed averted. With one click on a malicious link, a hacker would have had access to a target’s webcam and microphone on both iOS and macOS devices.
Scary. And you should apologize to your buddy whom you always ridiculed for having a sticker over his MacBook’s webcam. He might have been onto something.
These were the shocking findings that a security researcher publicly shared last week, according to a Wired report. It showcased how easy it would have been for an attacker to utterly take advantage of any user of an Apple product.
The vulnerabilities stemmed from three specific Safari bugs, and thankfully, Apple was able to patch them in its January and March updates. If Apple hadn’t released those updates, the company could be mired in a Zoom-like security fiasco right now, especially considering millions of Americans currently working remotely.
It was security researcher Ryan Pickren who discovered these particular bugs in Safari. By combining several of the bugs together, an attacker was able to create a web link that could trick Safari into handing over control to the computer's webcam and microphone. Then the victim’s webcam and microphone could be “quietly” turned on to record video and audio as well as take photos.
“I just kind of hammered the browser with really weird cases until Safari got confused and gave an origin that didn’t make sense,” Pickren told Wired. “And eventually the bugs could all kind of bounce from one to the next. Part of this is that some of the bugs were really, really old flaws in the WebKit core from years ago.”
These bugs were considered to be several years old, so there would have been ample time for such attacks to take place.
Pickren told Apple about seven vulnerabilities in total in mid-December. For his work, Apple gave Pickren a handsome bounty of $75,000, and the eventual updates made Apple’s devices safer to use for all.
The discovery of these bugs only underscores the fact that hackers have the ability to take advantage of weaknesses, no matter how small they may be, in any tech product. More troubling is that Apple should have all the financial resources in the world to stop such security threats, but these seem to pop up every few months or so – no matter how much money you throw at it. It’s best to always be on guard.
Ethen Kim Lieser is a Tech Editor who has held posts at Google, The Korea Herald, Lincoln Journal Star, AsianWeek and Arirang TV.