from Hacker News

Hacking the Apple Webcam (Again)

by sync on 1/25/22, 6:58 PM with 73 comments

  • by throwaway81523 on 1/25/22, 10:01 PM

    > "This research resulted in 4 0day bugs (CVE-2021-30861, CVE-2021-30975, and two without CVEs), 2 of which were used in the camera hack. I reported this chain to Apple and was awarded $100,500 as a bounty."

    Writing a secure browser for today's web appears to be a technological challenge comparable to a level 5 self-driving car. It has not been shown to be feasible. So such cars are not permitted to be deployed on the world's roads. Today's web sites and browsers should similarly not be deployed on the world's infobahns.

  • by user3939382 on 1/26/22, 1:00 AM

    I’m a fan of OpenBSD where I run ‘ps -ax’ and get a list of about 10 processes, all of whose purpose is obvious.

    On macOS I spend the first few days disabling several dozen junk processes I didn’t ask for and don’t want. This includes classroom tools (??) and all kinds of syncing/ sharing daemons I have no use for.

    This exploit reinforces what we already know — computers are impossible to secure, you should reduce attack surface where possible. If you get a little privacy and performance out of it all the better.

  • by dmitriid on 1/25/22, 10:20 PM

    > While this bug does require the victim to click "open" on a popup from my website, it results in more than just multimedia permission hijacking.

    That's why I'm so wary of browsers (well, a certain browser) adding more and more APIs that hide behind permission popups. People will blindly click them.

    And I fully agree with a sibling comment: "Writing a secure browser for today's web appears to be a technological challenge comparable to a level 5 self-driving car", https://news.ycombinator.com/item?id=30078738

  • by tomaskafka on 1/26/22, 9:33 AM

    Apple: "Safari is the most locked down and secure browser that never runs anything without user's permission."

    Also Apple: "We have built in a long list of exceptions for Apple services, because it's impossible for an Apple service to have an exploit."

  • by Mougatine on 1/25/22, 10:50 PM

    A $100,500 bounty seems pretty cheap compared to the severity of the issue, or is it common?

  • by shp0ngle on 1/26/22, 4:27 AM

    This does not relate to "webcam" at all? This allows to inject any script to any source, that seems more scary than "just" hacking a webcam?

    Also it makes me reconsider using Safari, seeing all these "special cases" of iCloud and iPhoto URLs being allowed.

  • by moooo99 on 1/25/22, 10:35 PM

    Reading articles like that always blows my mind. I can't even imagine how people can come up with exploit chains like that. Congratulations, well deserved bounty!

  • by alexk307 on 1/25/22, 10:10 PM

    This is incredible and terrifying. Well done.

  • by christopherwxyz on 1/26/22, 1:26 AM

    Congrats, Ryan! Well deserved.

  • by daddysnake on 1/26/22, 2:06 AM

    Lucky for me my MacBook camera isn’t being detected.

  • by Sirened on 1/26/22, 2:37 AM

    congrats :) I've always suspected you could use iCloud Sharing as a great one-click vector but I never quite cracked it. I wonder if apple will ever kill the webarchive UXSS—it's been public for almost five or six years at this point and it violates so many assumptions LOL.

  • by lodovic on 1/25/22, 10:41 PM

    Such a good write up, well done!

  • by sabujp on 1/25/22, 9:11 PM

    congrats

  • by fortran77 on 1/26/22, 2:29 AM

    Why does this keep happening to Apple?