Safari bug let hackers access cameras on iPhones and Macs

Apple patched the eavesdropping flaws in January and March

A security researcher has detailed his discovery of Safari browser flaws that could have allowed hackers to eavesdrop on users by hijacking the camera and microphone on their iOS and macOS devices.

Security researcher Ryan Pickren has published an account of how he found the vulnerabilities, which “allowed malicious websites to masquerade as trusted websites" when viewed on iPhones, iPads and Mac devices using Apple's Safari browser.

“Hackers could then use their fraudulent identity to invade users' privacy. This worked because Apple lets users permanently save their security settings on a per-website basis,” Pickren explained on his website. “If the malicious website wanted camera access, all it had to do was masquerade as a trusted video-conferencing website such as Skype or Zoom.”

Pickren disclosed his findings to Apple in December 2019 and the tech giant patched the vulnerabilities in January and March. 

Head of platform operations at edgescan, Ciaran Byrne, warned that the flaw could have threatened the security and confidentiality of many businesses

“In the current landscape where more and more people are working from home, this could be a very serious risk that may allow malicious actors snoop on official meetings and gain sensitive information,” he said.

“The regular face-to-face meetings have all moved to online meetings, and are continuing as normal. The takeaway here is that no platform is fully secure and that users need to be vigilant when visiting suspicious looking URLs in any browser.”

Byrne advised employees to always verify the source and make sure not to click on any links. “Hackers are not taking a break due to the coronavirus outbreak,” he added.

The flaws could have also threatened the privacy of a large number of employees who are relying on video conferencing while being forced to self-isolate.

"With most people working remotely due to COVID-19, accessing webcams and microphones can have a severe impact not just to the organisation, but also to individuals home privacy,” said Javvad Malik, security awareness advocate at KnowBe4.

Related Resource

Cyber security for accountants

3 ways to protect yourself and your clients online

Download now

“Like most attacks we see though, in order to be successful, this relies on a victim clicking on a malicious link. Therefore, it's vitally important that all staff are provided with adequate and timely security awareness and training so that they are aware of these kinds of issues, and know how to avoid falling victim, and reporting these to their IT teams.”

Malik added that, in order to maximise safety, “users should also consider disconnecting any external webcams when not in use, or apply a webcam cover”.

This is not the first vulnerability discovered in Safari. Earlier this year, Google researchers discovered significant security flaws in the browser’s privacy feature that allowed for user browsing behaviour to be tracked. 

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

Bank-targeting malware disguises itself as video conferencing software
Security

Bank-targeting malware disguises itself as video conferencing software

19 Oct 2020
What is shoulder surfing?
Security

What is shoulder surfing?

19 Oct 2020
Google blocked record-breaking 2.5Tbps DDoS attack in 2017
Security

Google blocked record-breaking 2.5Tbps DDoS attack in 2017

19 Oct 2020
Microsoft releases two emergency Windows patches
Security

Microsoft releases two emergency Windows patches

19 Oct 2020

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
iPhone 12 lineup official with A14 Bionic chip and 5G support
Mobile Phones

iPhone 12 lineup official with A14 Bionic chip and 5G support

13 Oct 2020
Google blocked record-breaking 2.5Tbps DDoS attack in 2017
Security

Google blocked record-breaking 2.5Tbps DDoS attack in 2017

19 Oct 2020