Tomcat
Professional
- Messages
- 2,695
- Reaction score
- 1,072
- Points
- 113
Bad news for Apple iPhone and MacBook owners - simply by visiting a website (not necessarily malicious, it might be a legitimate resource, but with malicious ads) through the Safari browser, it can provide a remote attacker with access to the camera and microphone on their device, location data and in some cases even passwords.
The vulnerability was discovered by security researcher Ryan Pickren, who reported it to six other Apple companies. For this, he received a reward of $ 75 thousand. The problems were fixed in several stages, starting from the Safari version 13.0.5 (released on January 28, 2020) and ending with version 13.1 (released on March 24, 2020).
As Pikren explained, in order to gain access to the camera on the victim's device, an attacker only needs to lure her into a fake site that mimics a conference call service like Skype or Zoom. A combination of three vulnerabilities discovered by the researcher allows attackers to pass off a malicious website as legitimate and obtain permission to access the microphone and camera, which is granted only to trusted domains.
List of vulnerabilities:
CVE-2020-3852: Incorrectly ignored URL scheme when resolving site media permissions.
CVE-2020-3864: The context of a DOM element may not have a unique safe origin.
CVE-2020-3865: The context of a top-level DOM element may incorrectly be considered safe.
CVE-2020-3885: Incorrect handling of file URL.
CVE-2020-3887: Incorrect download source binding.
CVE-2020-9784: A malicious iframe is using another site's load settings.
CVE-2020-9787: Incorrectly ignoring a dash (-) and period (.) URL scheme when specifying media permissions on a site.
