Usually the worst thing that happens when you have dozens of browser tabs open is you can’t find the one that suddenly starts blasting random ads. But a group of macOS vulnerabilities—fixed by Apple at the end of last year—could have exposed your Safari tabs and other browser settings to attack, opening the door for hackers to grab control of your online accounts, turn on your microphone, or take over your webcam.
MacOS has built-in protections to prevent this sort of attack, including Gatekeeper, which confirms the validity of the software your Mac runs. But this hack got around those safeguards by abusing iCloud and Safari features that macOS already trusts. While poking for potential weaknesses in Safari, independent security researcher Ryan Pickren started looking at iCloud’s document-sharing mechanism because of the trust inherent between iCloud and macOS. When you share an iCloud document with another user, Apple uses a behind-the-scenes app called “ShareBear” to coordinate the transfer. Pickren found that he could manipulate ShareBear to offer victims a malicious file.
In fact, the file itself doesn’t even have to be malicious at first, making it easier to offer victims something compelling and trick them into clicking. Pickren found that because of the trusted relationship between Safari, iCloud, and ShareBear, an attacker could actually revisit what they shared with a victim later and silently swap the file for a malicious one. All of this can happen without the victim receiving a new prompt from iCloud or realizing that anything has changed.
Once the hacker has staged the attack they can essentially take over Safari, see what the victim sees, access the accounts the victim is logged into, and abuse permissions the victim has granted websites to access their camera and microphone. An attacker could also access other files stored locally on the victim’s Mac.
“The attacker is basically punching a hole in the browser,” says Ryan Pickren, the security researcher who disclosed the vulnerabilities to Apple. “So if you’re signed into Twitter.com on one tab I could jump into that and do everything you can from Twitter.com. But that’s nothing to do with Twitter’s servers or security, I as the attacker am just assuming the role that you already have in your browser.”
In October, Apple patched the vulnerability in Safari’s WebKit engine and made revisions in iCloud. And in December it patched a related vulnerability in its Script Editor code automation and editing tool.
“This is an impressive exploit chain,” says Patrick Wardle, a longtime researcher and founder of the macOS security nonprofit Objective-See. “It’s clever that it exploits design flaws and creatively uses built-in macOS capabilities to circumvent defense mechanisms and compromise the system.”
Pickren previously discovered a series of Safari bugs that could have enabled webcam takeovers. He disclosed the new findings through Apple’s bug bounty program in mid-July and the company awarded him $100,500. The amount is not unprecedented for Apple’s disclosure program, but reflects the severity of the flaws. In 2020, for example, the company paid out $100,000 for a crucial flaw in its Sign In With Apple single sign-on system.
Safari and Webkit, though, have a particular set of security challenges, because they are such massive platforms. And Apple has had a difficult time getting a handle on the problem, even when vulnerabilities are public for weeks or months.