Apple hear betalat ut 75 000 dollar för information om en synnerligen allvarlig bugg som hade kunnat exploateras för att ta över en iPhones eller en Mac-dators kamera och mikrofon.
Det är egentligen tre buggar som kan, eller skulle, kunnat exploateras. Alla tre buggarna är åtgärdade i den senaste versionen av iOS och macOS. Buggarna fanns i Apples webbläsare safari och de hade kunnat användas för att ta över enheter via kod på en hemsida (exempelvis).
Former Amazon Web Services security engineer, Ryan Pickren, discovered seven zero-day vulnerabilities in Apple’s Safari that could be used to hijack users’ cameras. The vulnerabilities exploited the way Safari parsed Uniform Resource Identifiers, managed web origins, and initialized secure contexts.
The only requirement was that the user’s camera would have had to trust a video conferencing site, like Zoom. If that criteria was met, a user could visit a site that utilized the attack chain, and a hacker could gain access to a users camera —both on iOS and macOS.
Pickren had submitted his research to the Apple Bug Bounty program and was paid $75,000 for his contribution. Apple fixed three of the security flaws —the ones that allowed for camera hijacking —in the January 28 Safari 13.0.5 update. The four remaining flaws were not fixed until the Safari 13.1 release on March 24.
0 kommentarer