This is amazing work. You’ll never see XFO the same way again.
It says that Safari 13.0.4 (macOS) and earlier is required to reproduce; Safari 13.1 was released last week, so if you’re allowing macOS to stay up to date, you’re okay there. I didn’t see a clear answer for iOS, but if they published, it has likely been fixed in iOS as well (or else they’d miss out on a $75k bounty).
Is it me or does "webcam hacking" really undersell the bug here?
From the write up at https://www.ryanpickren.com/webcam-hacking , the bug chain appears to allow script execution in "arbitrary" domain context, which at first glance seems much bigger than just webcam extraction. Sticking up someone's face is attention grabbing compared to what could be done with that kind of power.
Is it because of the first bug in the chain that only the media-permissions was affected by the context confusion?
For example being able to extract cookies or local storage from other contexts would be a much bigger deal (local storage is sometimes used to store XSRF protection keys or other credentials), so I assume that wasn't at all affected?
Did any other parts of safari use the same broken context awareness as the media permissions or do we know that it was it isolated to media permissions?
This appears to only control the media permissions. I'm reading through the long writeup now and it talks about how this is something other than the site origin, instead it's running its own URL parser with custom logic against all pages in order to map them to website permissions.
It says here he was awarded $75,000, instead of the $150,000 listed on the Apple page for this type of exploit. Later on, Apple specifies:
> Reports that include a basic proof of concept instead of a working exploit are eligible to receive no more than 50% of the maximum payout amount.
Can someone explain to me what would have counted as a “working exploit” here vs. simple proof of concept? They can’t mean actually finding it in the wild right? The OP’s example seems working enough to me, and this looks like a really bad bug.
Going along with other comments on this thread, if it's the case that you have access to anything that domain has access to, and the webcam is just a flashy way of demonstrating this, I would certainly consider it broad access. I would assume this is the case since the problem appears to be in URI parsing, not webcam code.
Of course, if the bug was reported as a webcam issue then I suppose it could be maybe argued that it's fine that they paid for it as such.
I'm not saying I agree or disagree with what Apple gave him, I'm just stating that's why. His proof of concept wasn't god-mode, it was access to the webcam. If he wants the extra $75k, and the exploit allows full access, I'd imagine he'd be incentivized to show full access.
Rather than waiting on people to change their behavior (stopping the use of one of the fundamental elements of typography), you would have greater luck installing a browser plugin that removes <i> tags from webpages.
Consider emailing the site admins (footer Contact link) and ask them for a userpref to disable italics. They provided the italics feature and so it will be used for various purposes, but if it's materially impacting your ability to use the site, they'll certainly want to hear about that. I'm not guaranteeing that they will reply or agree, as I'm not an admin.
Do you have any recommendations for browser addons/extensions/etc. that strip italics from all sites? I wasn't able to find any in a simple search and I imagine you'd have more experience in this area for others seeing your comment, agreeing with it, and then wishing something like that existed.
It seems URI/authority/domain parsing for authorization purposes is highly risky and leaves a lot to be desired. Another recent high-impact URI parsing bug in Google’s core library that led to Google-wide domain check bypass: https://news.ycombinator.com/item?id=22527842
Good work! People talk about how a webcam cover is essential on laptops but I think iOS side of this exploit is even more crucial. Very few people use camera covers for phones, cause they are ugly and new phones have FaceID etc which makes impossible to use a camera cover daily. More importantly, we take our phones to places more private, like bathrooms. Now that iOS Safari support front facing camera stream, I think this discovery worth more than $75K
On laptops, there's usually a light that turns on when the camera is active. I (like to) believe that this light is controlled by the camera's firmware, i.e., it can't be manipulated by software? Can someone knowledgable confirm this?
> I (like to) believe that this light is controlled by the camera's firmware, i.e., it can't be manipulated by software?
Hit and miss.
If it can be controlled by the camera's firmware, then it can be controlled by software. All it takes is a bug in the firmware, which is unlikely to ever be updated.
Some camera lights are controlled by the firmware, others are wired onto the data line, so the moment data is going either way, they light up.
However, defeating the light even in the directly wired case is possible, and has been done many times. If you fire up the camera, take a photo, and turn off quickly enough, the light won't be perceived by the victim. (I believe the FBI and the NSA both had tools that did this that became public knowledge a number of years ago).
> All it takes is a bug in the firmware, which is unlikely to ever be updated.
FWIW, Apple system (OS) updates frequently include firmware updates, not only for the FEP/boot code but other devices as well, especially for security issues. Apple has been pretty good about this.
Not addressing the rest of your comment, just this one point.
PS: don’t know why the phones don’t have a similar indicator for “front camera on” and “speaker mode on”. BOM cost I suppose.
The hardware could easily be designed so that whenever the light is turned on, it cannot be turned off for a second or w/e. Seems like an obvious solution.
iirc some laptops do this. As soon as there is data transmitted from the camera, the light will turn on. Another solution would be the sliding camera cover some manufacturers have, but that doesn't really help with the built in microphone.
"We observed that, on average, fewer than half of our participants (45%) noticed the existing indicator during computer-based tasks. When seated in front of the computer performing a paper-based task, only 5% noticed the indicator."
Could those stats be improved with a different type of light/higher intensity? A sound notification wouldn't be practical, I suppose, but that is also easier to notice than a tiny green dot on the top of the screen.
On modern Macs since some time before 2016 there is a hardwired line from the sensor to the LED that is not vulnerable to a firmware hack[0]. However, if an app just takes still photos the light could be on for a very brief period of time.
In addition to the hardware light, I also use Micro Snitch (from the maker of Little Snitch) which provides on-screen notification whenever the camera/microphone is activated/active.
It is. However there was an exploit on older macbooks where an attacker managed to flash the firmware, disabling the led. I believe recent macs are much hardened on both hardware and software. Still a possibility.
I was under the distinct understanding that on modern macbooks it was hardwired in. If the camera receives power, then the light is on. If the camera doesn't have power then the light is off.
I imagine that a Black Mirror type of scandal involving this exploit could do many millions if not billions in damage to Apple’s finances. Not to mention what such an exploit might fetch on the black market.
There's more to the black market than just money: you often need to deal with unscrupulous individuals (possibly a couple of levels removed) and risk going to jail. The bounty incentivizes researchers to research and disclose, not disincentive people who were going to sell them anyways (who will pay whatever it costs to get these anyways).
The black market responds to the legal markets. Unless you think that these companies can ultimately win a bidding war against black market actors, trying too desperately to win over the black hats will just enrich them further.
They're designed to disincentivize moral people from selling such secrets on the black market, and show that companies care about fixing bugs. Authoritarian governments will always be more than willing to offer large sums of money for such exploits.
I currently use oversight[1] to monitor mic and camera access and permissions. It wouldn't protect against a kernel-mode (or rootkit) level exploit, but provides _some_ coverage at least (at least that is what I tell myself).
I'm not sure what the conventions are these days, but the $75k bounty seems reasonable for the severity of the problem (even if large compared to others I've seen). What's the record bounty size so far?
While I'm glad they didn't give one of those insulting 10k payouts, I'm actually surprised this one wasn't higher.
This isn't a complete remote takeover but accessing a live feed of an unsuspecting person just by them opening a URL seems like a really big deal for a company that is all about privacy.
This is why I have a piece of tape over my webcam.
I really don’t need a webcam on my MacBook at all. Kinda like I don’t need a microphone on my TV. Why are these not optional on devices? How do we know this is really what consumers want?
It feels like a lesson from the “you can have any color as long as it’s black” school of consumer choice.
> ”I really don’t need a webcam ... Why are these not optional on devices?”
The webcam is cheap enough that the cost to make it optional (ie: added manufacturing and logistical complexity of another model variant) would greatly exceed the cost of the part.
Most people (except some high security military/intelligence customers, perhaps) aren’t willing to pay more to not have a webcam.
You’re right of course. I’m still uncomfortable with the number of cameras and microphones that found their way into my home. Especially for how rarely I use them. I don’t feel like my life is much better with them around.
I'm not sure about smartphones but it seems like a physical cover would be a perfect fit on a notebook. Maybe the reason it isn't done is that it gives bad vibes to people about being spied on without their knowledge?
Because according to the seller’s analysis, the probability of marginal profit is not sufficient.
>How do we know this is really what consumers want?
“We” don’t, and short of a worldwide poll, one can only guess. The seller, especially as one of the most profitable entities in the world, is presumed to be able to come up with decent market analysis.
You could whip up a quick script to move driver kexts for mic and camera in and out of extensions folder essentially toggling the functionality. This would require a reboot though.
I put an inline switch on the supply line of my thinkpad camera. The hardest part is mechanically placing the switch so it's not in the way and can be used easily.
It's actually getting worse. The 2020 macbook air has soldered secondary storage. In a day when NVME drives are as tiny as ever. So now if you want to upgrade from 256 GB to 1 TB you need to buy an entirely new board.
I'm not sure, but hasn't it been like this since... 2018 or so? I thought all after-market upgrade possibilites were gone, because they started soldering the RAM and everthing else. Didn't knew you could upgrade any storage at all.
I don’t have an easy (non-destructive) fix for that one and I actually do voice chats with my laptop. I’d feel better about a real hardware switch for both or a separate device. Sadly that doesn’t seem to be an option.
There's external microphones with an on/off switch; of course, if you can't tell Mac to never use the builtin microphone it's probably neither here nor there.
And what about all your data? (photos, emails, texts, browsing history, passwords, etc) If an attacker has compromised my computer to such an extent that they’s be able to record me, I’d be more worried about access to my private data than I am about being photographed through the webcam.
Well, as this case shows, an attacker doesn’t always need to get low level access to your device in order to capture video and audio. So there is still a valid concern shot being recorded.
FWIW thinkpads have a function key on the keyboard to mute the microphone. With indicator LED.
I don't know how it is implemented, may be in software, may be done in firmware. It won't be perfect but at least it gives you a visual indication that your mic is (or should be) muted.
At this point, if you’re not going to stop reinventing every single wheel to make websites turn into apps, might as well treat every website like an standalone, fully-sandboxed app with its own set of permissions just like every other native app.
I wonder whether any of this code predates the Blink-WebKit fork, and if so whether any of this applies to Chrome/Edge/Brave/etc. I'm guessing no since they're not mentioning it, but a lot of this sounds like deep old stuff.
This occurs when you've joined the call with computer audio. I was super glad to see that popup when it started appearing a while ago. I don't work for Zoom, but here's how you can manage Zoom vs. microphone stuff in more detail than just Mute:
If your Preferences > Audio > "Join audio by computer" setting is enabled, then it'll do so automatically. While in a call, if you want to disconnect the microphone rather than mute it, hit the dropdown menu to the right of the Mute button and choose "Leave computer audio" at the bottom.
Everyone should stop writing webpages which require javascript.
Javascript is a security nightmare responsible for the overhelming majority of web-based CVEs .
Javscript's contributes mostly fluff to the vast majority of webpages.
What's worse, some pages check for it and deliver a totally blank page if it's not enabled, just to punish the non-compliant.
Even worse than all of the above is the fact that Javscript is the vehicle through which users are IDed and tracked. It's the reason why telling your browser to dump-cookie at the end of a session is ineffective.
Javascript is popular because people who own websites demand it be enabled. They demand that so they can fingerprint you- no other REAL reason for Javascript's popularity.
Every single person on this particular forum eithers knows or can clearly see what I am saying is true, but their jobs depend on them selling their Javascript skills and that's the reason this post, as you read it, is fading to gray as its downvoted.
Javscript is the instrumentality of the surveillence state. That's 98% of its utility.
All webpages should have a non-Javascript, "here's the info" version available and the fact they don't is a scandal and we are the culprits.
Tools don't exist for their own sake. They exist to solve problems. In the world before javascript, we still had interactive applications on the internet, we just built them with different tools, which were usually worse than the security model of javascript. If we got rid of javascript, we wouldn't get rid of interactive applications, we'd just build them a different way again.
Also, you can definitely be fingerprinted without javascript. The web is a huge stack of technologies, and most of them can be fingerprinted, all the way down to at least layer 4. (...and layer 2 if you're not on a network you control)
JavaScript is not necessary on the majority of pages it's used on, but to say everybody should stop using it on the web is absurd. JS makes Google Docs, Slack, and a thousand other applications possible; without it, they'd need to be native applications instead (which, while needing to be manually installed, almost always don't have the level of sandboxing that browsers normally provide.)
"JS makes Google Docs, Slack, and a thousand other applications .."
...I never use.
Take all the JS on all the webpages and throw away every page to which it's not essential. Call the remainder set A.
From set A, throw away every application whose functionality could be essentially be replaced by something like an ASP or JSP/Servlet round-trip hit without it much bothering anyone, as in the olden days. Call the remainder Set B.
Take everything in set B and task yourself with creating a secure methodology of obtaining the same or similar level of utility not involving Javascript or anything less secure.
Compare the effort to do that with the sum total cost of what Javascript has inflicted on the world.
Include in your calculations direct financial losses, expenditures in counter-measures, all the manhours spent in ameliorating all the breaches in security caused by Javascript, all the human toll of being tracked - by Javascript- online...
In fact, let's just keep this simple, forget all that.
Every time any human being in any security agency in all nations the world over is engaged in any activity, offensive or defensive, which has as its ultimate root cause Javascript, just make that the bill you have to pay.
Now look at the net gain (Google Docs!) and the net cost and tell me Javascript is a great idea.
I got some time ago that not everyone shares my hierarchy of values and concerns. You use Twitter and Facebook and Google etc. etc ad naseum... all forks where each time I chose the other path.
But by saying "no" to that steaming pile of shit I don't find I've said no to modernity and I don't find myself disavantaged in any way. Those things are not modernity or even the web- they're gadgets. Gadgets you love and can't imagine living without, that's all, like the smartphone you have, and I don't.
J'accuse our world of the following. We have cost everyone incalcuable wealth, time, opportunity and frankly the attention of some of the best minds of the past two generations all to buy ourselves a very particular, circumscribed and unnecessary kind of interactivity on our computer screens.
We have recklessly trodden very far down a dangerous and even deadly path, step by step, merely because at each point along the way we counted our own sunk efforts and extant artefacts as the measure of all things. This, and we have effectively coerced the world into following us.
I have to agree with you. The vast majority of websites on the internet don't need JS for any functionality, and it's only used for ads, tracking, etc.
This is amazing work. You’ll never see XFO the same way again.
It says that Safari 13.0.4 (macOS) and earlier is required to reproduce; Safari 13.1 was released last week, so if you’re allowing macOS to stay up to date, you’re okay there. I didn’t see a clear answer for iOS, but if they published, it has likely been fixed in iOS as well (or else they’d miss out on a $75k bounty).