
Unauthorized access to cameras in Safari on macOS and iOS - notRobot
https://www.ryanpickren.com/webcam-hacking-overview
======
floatingatoll
A much better technical explanation than this ‘landing page’ edition is here:
[https://www.ryanpickren.com/webcam-
hacking](https://www.ryanpickren.com/webcam-hacking)

This is amazing work. You’ll never see XFO the same way again.

It says that Safari 13.0.4 (macOS) and earlier is required to reproduce;
Safari 13.1 was released last week, so if you’re allowing macOS to stay up to
date, you’re okay there. I didn’t see a clear answer for iOS, but if they
published, it has likely been fixed in iOS as well (or else they’d miss out on
a $75k bounty).

------
7777fps
Is it me or does "webcam hacking" really undersell the bug here?

From the write up at [https://www.ryanpickren.com/webcam-
hacking](https://www.ryanpickren.com/webcam-hacking) , the bug chain appears
to allow script execution in "arbitrary" domain context, which at first glance
seems much bigger than just webcam extraction. Sticking up someone's face is
attention grabbing compared to what could be done with that kind of power.

Is it because of the first bug in the chain that only the media-permissions
was affected by the context confusion?

For example being able to extract cookies or local storage from other contexts
would be a much bigger deal (local storage is sometimes used to store XSRF
protection keys or other credentials), so I assume that wasn't at all
affected?

Did any other parts of safari use the same broken context awareness as the
media permissions or do we know that it was it isolated to media permissions?

~~~
dannyw
There’s only one way to find out: downgrade your Safari and call
document.cookie using the PoC codes.

~~~
7777fps
I don't have any Mac devices or emulators or I would give it a try.

------
tolmasky
It says here he was awarded $75,000, instead of the $150,000 listed on the
Apple page for this type of exploit. Later on, Apple specifies:

    
    
        > Reports that include a basic proof of concept instead of a working exploit are eligible to receive no more than 50% of the maximum payout amount.
    

Can someone explain to me what would have counted as a “working exploit” here
vs. simple proof of concept? They can’t mean actually finding it in the wild
right? The OP’s example seems working enough to me, and this looks like a
really bad bug.

~~~
floatingatoll
Please don't use four-space indents to blockquote non-code here. It doesn't
wrap and isn't readable on mobile. You can use > * ... * instead, as so:

> _Reports that include a basic proof of concept instead of a working exploit
> are eligible to receive no more than 50% of the maximum payout amount._

~~~
tolmasky
Thank you for the suggestion! I also hate the scrolling and this is much
better.

------
oefrha
It seems URI/authority/domain parsing for authorization purposes is highly
risky and leaves a lot to be desired. Another recent high-impact URI parsing
bug in Google’s core library that led to Google-wide domain check bypass:
[https://news.ycombinator.com/item?id=22527842](https://news.ycombinator.com/item?id=22527842)

------
nihonium
Good work! People talk about how a webcam cover is essential on laptops but I
think iOS side of this exploit is even more crucial. Very few people use
camera covers for phones, cause they are ugly and new phones have FaceID etc
which makes impossible to use a camera cover daily. More importantly, we take
our phones to places more private, like bathrooms. Now that iOS Safari support
front facing camera stream, I think this discovery worth more than $75K

~~~
101404
Every computer controlled camera and microphone should come with an actual
mechanical switch that cuts power.

------
zvrba
On laptops, there's usually a light that turns on when the camera is active. I
(like to) believe that this light is controlled by the camera's firmware,
i.e., it can't be manipulated by software? Can someone knowledgable confirm
this?

~~~
shakna
> I (like to) believe that this light is controlled by the camera's firmware,
> i.e., it can't be manipulated by software?

Hit and miss.

If it can be controlled by the camera's firmware, then it can be controlled by
software. All it takes is a bug in the firmware, which is unlikely to ever be
updated.

Some camera lights are controlled by the firmware, others are wired onto the
data line, so the moment data is going either way, they light up.

However, defeating the light even in the directly wired case is possible, and
has been done many times. If you fire up the camera, take a photo, and turn
off quickly enough, the light won't be perceived by the victim. (I believe the
FBI and the NSA both had tools that did this that became public knowledge a
number of years ago).

~~~
lloda
The hardware could easily be designed so that whenever the light is turned on,
it cannot be turned off for a second or w/e. Seems like an obvious solution.

~~~
moooo99
iirc some laptops do this. As soon as there is data transmitted from the
camera, the light will turn on. Another solution would be the sliding camera
cover some manufacturers have, but that doesn't really help with the built in
microphone.

------
rasta78
I found 75k for such a severe security issue a low figure, on apple security
bounty page the max pay for such exploit is 500k.
[https://developer.apple.com/security-
bounty/](https://developer.apple.com/security-bounty/)

~~~
mulmen
It’s a bug in Safari, not in the webcam so that may be why?

~~~
save_ferris
That could be, but it’s still far too low.

I imagine that a Black Mirror type of scandal involving this exploit could do
many millions if not billions in damage to Apple’s finances. Not to mention
what such an exploit might fetch on the black market.

~~~
elldoubleyew
I firmly believe that a government intelligence operation would be willing to
pay far more than 75k for this.

~~~
saagarjha
Bug bounty payouts are not meant to match what you can get on the black
market.

~~~
mulmen
That seems like a major flaw in bug bounties then. What else could they be
competing with?

~~~
saagarjha
There's more to the black market than just money: you often need to deal with
unscrupulous individuals (possibly a couple of levels removed) and risk going
to jail. The bounty incentivizes researchers to research and disclose, not
disincentive people who were going to sell them anyways (who will pay whatever
it costs to get these anyways).

------
stock_toaster
I currently use oversight[1] to monitor mic and camera access and permissions.
It wouldn't protect against a kernel-mode (or rootkit) level exploit, but
provides _some_ coverage at least (at least that is what I tell myself).

[1]: [https://objective-see.com/products/oversight.html](https://objective-
see.com/products/oversight.html)

~~~
danieldk
There is also Micro Snitch from the makers of Little Snitch:

[https://obdev.at/products/microsnitch/index.html](https://obdev.at/products/microsnitch/index.html)

------
nayuki
A somewhat related concurrent news item:
[https://news.ycombinator.com/item?id=22767843](https://news.ycombinator.com/item?id=22767843)
"Hardware Microphone Disconnect in Mac and iPad"

------
ahupp
I'm not sure what the conventions are these days, but the $75k bounty seems
reasonable for the severity of the problem (even if large compared to others
I've seen). What's the record bounty size so far?

~~~
ht85
While I'm glad they didn't give one of those insulting 10k payouts, I'm
actually surprised this one wasn't higher.

This isn't a complete remote takeover but accessing a live feed of an
unsuspecting person just by them opening a URL seems like a really big deal
for a company that is all about privacy.

------
mulmen
This is why I have a piece of tape over my webcam.

I really don’t need a webcam on my MacBook at all. Kinda like I don’t need a
microphone on my TV. Why are these not optional on devices? How do we know
this is really what consumers want?

It feels like a lesson from the “you can have any color as long as it’s black”
school of consumer choice.

~~~
m463
Purism laptops come with a hardware switches for camera/mic and bt/wifi.

(though the switch isn't labeled as to which direction is on and which is off,
which might have changed in current models)

~~~
mulmen
Haha that’s amazing. Finally someone gives us what we are asking for and it
still doesn’t work!

~~~
m463
no it works (flip the switch and the USB device disappears). but on and off
should be labeled.

------
Razengan
At this point, if you’re not going to stop reinventing every single wheel to
make websites turn into apps, might as well treat every website like an
standalone, fully-sandboxed app with its own set of permissions just like
every other native app.

------
jefftk
I wonder whether any of this code predates the Blink-WebKit fork, and if so
whether any of this applies to Chrome/Edge/Brave/etc. I'm guessing no since
they're not mentioning it, but a lot of this sounds like deep old stuff.

------
thyme_tea
This exploit works by imitating a website which has camera/microphone
priviliges, correct?

So could you prevent it by revoking all of said priviliges for all websites in
Safari's settings?

~~~
om2
On a vulnerable version you could do that. For clarity, the bugs that led to
this have been fixed in the latest Safari version on all platforms.

------
corentin88
Always thought a security issue like this one was about to appear someday.
Kudos to the bug hunter.

------
emmelaich
FWIW, Zoom clearly has your microphone on when muted .. because it alerts you
that you are muted when it detects noise.

~~~
diebeforei485
Zoom can't mute your mic entirely, only macOS can do that.

What it does is not transmit your voice.

------
aquir
op deserves the $75k! Good work!

------
diebeforei485
Excellent work.

------
david_w
Everyone should stop writing webpages which require javascript.

Javascript is a security nightmare responsible for the overhelming majority of
web-based CVEs .

Javscript's contributes mostly fluff to the vast majority of webpages.

What's worse, some pages check for it and deliver a totally blank page if it's
not enabled, just to punish the non-compliant.

Even worse than all of the above is the fact that Javscript is the vehicle
through which users are IDed and tracked. It's the reason why telling your
browser to dump-cookie at the end of a session is ineffective.

Javascript is popular because people who own websites demand it be enabled.
They demand that so they can fingerprint you- no other REAL reason for
Javascript's popularity.

Every single person on this particular forum eithers knows or can clearly see
what I am saying is true, but their jobs depend on them selling their
Javascript skills and that's the reason this post, as you read it, is fading
to gray as its downvoted.

Javscript is the instrumentality of the surveillence state. That's 98% of its
utility.

All webpages should have a non-Javascript, "here's the info" version available
and the fact they don't is a scandal and we are the culprits.

~~~
zlsa
JavaScript is not necessary on the majority of pages it's used on, but to say
everybody should stop using it on the web is absurd. JS makes Google Docs,
Slack, and a thousand other applications possible; without it, they'd need to
be native applications instead (which, while needing to be manually installed,
almost always don't have the level of sandboxing that browsers normally
provide.)

~~~
david_w
"JS makes Google Docs, Slack, and a thousand other applications .."

...I never use.

Take all the JS on all the webpages and throw away every page to which it's
not essential. Call the remainder set A.

From set A, throw away every application whose functionality could be
_essentially_ be replaced by something like an ASP or JSP/Servlet round-trip
hit without it much bothering anyone, as in the olden days. Call the remainder
Set B.

Take everything in set B and task yourself with creating a secure methodology
of obtaining the same or similar level of utility not involving Javascript or
anything less secure.

Compare the effort to do that with the sum total cost of what Javascript has
inflicted on the world.

Include in your calculations direct financial losses, expenditures in counter-
measures, all the manhours spent in ameliorating all the breaches in security
caused by Javascript, all the human toll of being tracked - by Javascript-
online...

In fact, let's just keep this simple, forget all that.

Every time any human being in any security agency in all nations the world
over is engaged in any activity, offensive or defensive, which has as its
ultimate root cause Javascript, just make that the bill you have to pay.

Now look at the net gain (Google Docs!) and the net cost and tell me
Javascript is a great idea.

I got some time ago that not everyone shares my hierarchy of values and
concerns. You use Twitter and Facebook and Google etc. etc ad naseum... all
forks where each time I chose the other path.

But by saying "no" to that steaming pile of shit I don't find I've said no to
modernity and I don't find myself disavantaged in any way. Those things are
not modernity or even the web- they're gadgets. Gadgets you love and can't
imagine living without, that's all, like the smartphone you have, and I don't.

J'accuse our world of the following. We have cost everyone incalcuable wealth,
time, opportunity and frankly the attention of some of the best minds of the
past two generations all to buy ourselves a very particular, circumscribed and
unnecessary kind of interactivity on our computer screens.

We have recklessly trodden very far down a dangerous and even deadly path,
step by step, merely because at each point along the way we counted our own
sunk efforts and extant artefacts as the measure of all things. This, and we
have effectively coerced the world into following us.

~~~
somehnguy
Maybe computers aren't quite for you. Pen and paper is safer.

