Usually the worst something that happens when you have dozens of browser tabs open is that you can’t find the one that suddenly starts showing random ads. But a group of vulnerabilities in macOS — patched by Apple late last year — may have exposed your Safari tabs and other browser settings to attack, opening the door for hackers to take control of your online accounts, turn on your microphone or taken through your webcam.
MacOS has built-in defenses to prevent this kind of attack, including Gatekeeper, which verifies the validity of the software your Mac is running. But this hack bypassed those safeguards by abusing iCloud and Safari features that macOS already trusts. While looking for potential weaknesses in Safari, independent security researcher Ryan Pickren began looking at iCloud’s document sharing mechanism because of the trust inherent between iCloud and macOS. When you share an iCloud document with another user, Apple uses a behind-the-scenes app called ShareBear to coordinate the transfer. Pickren found that he could manipulate ShareBear to offer victims a malicious file.
In fact, the file itself doesn’t even have to be malicious to begin with, making it easy for victims to offer something enticing and trick them into clicking. Pickren found that because of the trusted connection between Safari, iCloud, and ShareBear, an attacker could actually review what he shared with a victim later and quietly swap the file with a malicious one. All of this can happen without the victim receiving a new iCloud prompt or knowing that anything has changed.
Once the hacker mounts the attack, they can essentially take over Safari, see what the victim sees, access the accounts the victim is logged into, and abuse the permissions the victim has granted websites to access their camera and microphone. The attacker can also access other files stored locally on the victim’s Mac.
“The attacker is actually drilling a hole in the browser,” said Ryan Pickren, a security researcher who uncovered Apple’s vulnerabilities. “So if you’re logged into Twitter.com in a tab, I can jump into it and do everything you can from Twitter.com. But this has nothing to do with Twitter’s servers or security; I, as an attacker, simply assume the role you already have in your browser.
In October, Apple fixed a vulnerability in Safari’s WebKit engine and made revisions to iCloud. And in December, it patched a related vulnerability in its script editor automation and code editing tool.
