A couple of years ago, research student Ryan Pickren found gaps in iOS and Mac OS that made it possible to access the camera on any Apple gadget. Now he has done the same thing again on Mac OS, reports 9 to 5 Mac.
The new hack exploits a series of minor security flaws in Safari 15 and Icloud sharing to creatively get around both Gatekeeper and Mac OS privacy dialogs. In addition, it not only provides access to camera and microphone but also all websites you are logged in to.
To activate the hack, the user is tricked into opening a document that is shared via Icloud, for example a completely unprotected Pages document without any fuss. Once the user has approved the sharing and opened it, no further security checks are performed on the content, and then the hacker moves to the work.
The contents of the file change to a maliciously crafted disk image that Safari is tricked into opening without triggering the Gatekeeper using another trick. When everything is linked together, the hacker gets access to a webcam, microphone, Safari’s history and more.
Ryan Pickren reported the error to Apple this summer. The company released fixes in Safari 15 and Mac OS 12.0.1 and has given Ryan Pickren the highest possible hit salary in its bugger program, $ 100,000.
Read the entire technical review of the hack here.