What is fleeceware?

Fleeceware apps have free versions that perform little or no function or are constantly deliberately bombarding users with ads of in-app purchase, that unlock the actual functionality. In this way, tricky developers force users to sign up for a subscription, which can be unnecessarily expensive. Here are the main signs of fleeceware:

• The app’s functionality is free from other online sources or through the mobile OS.
• The app forces the user to sign up for a short trial period. In the end, the user is charged periodically for the subscription.
• The app floods the user with ads, making the free version unusable.

Usually, during installation, such apps request permission to track activities in other apps and websites and request to rate the app before even using it. In the process of abundant spamming with permission requests, such as for sending notifications, the app tries to get the user to sign up for a “free” trial version.

The pseudo-developers are banking on the user, not paying attention to the cost or forgetting that they have this subscription. Since fleeceware is designed to be useless after the free trial period ends, users uninstall it from their devices. However, uninstalling the app does not cancel the subscription, and the user is charged monthly and sometimes weekly for a subscription they don’t even use.

“FleeceGPT”

Researchers recently published a report stating that one mobile app developer made $1 million per month simply by charging users $7 weekly for a ChatGPT subscription. If you’ve never dealt with the chatbot, this may seem like a regular phenomenon. However, the catch is that OpenAI provides this service to users for free. In addition, during a raid on the Google Play and Apple App Stores, experts found several other ChatGPT-related fleeceware apps.

“Genie AI Chatbot,” fleeceware app, was downloaded more than 2m per last month from the App Store. The first reason this app could be called fleeceware is that the popup asks to rate the app before it is fully launched and also asks to track actions in other apps and websites. While this app fulfills its stated function, it can only handle four requests per day without a subscription, which is extremely low. To remove this limitation, the user would have to subscribe, which would cost $7 per week, which is costly.

Measures against fleeceware

Unfortunately, there are a lot of such applications in the official stores, and store owners are in no hurry to remove them. The point is that the store receives a commission for each transaction in the app. For example, Apple gets 30% of each purchase in the application, so they are not interested in being left without earnings. However, both Apple and Google have rules for stores designed to combat earlier generations of fleeceware. These rules prevented app fraud since some apps were worth over $200 monthly. Under the new rules, developers must report subscription fees in advance and allow users to cancel this subscription before the payment is taken off.

However, savvy scammers are finding ways around these rules. According to research, the number of ChatGPT-related web domains increased by 910% from November to April, and URL filtering systems intercepted about 118 malicious web addresses daily. Since ChatGPT is not officially working in some countries, there is a high demand for this bypass solution. It costs as little as 8 cents to output 1,000 words through the OpenAI API, and a monthly subscription to the latest ChatGPT is $20. But scammers offer the functionality of the basic version of the chatbot for an average of $1 a day. However, even after Google and Apple received reports of the fleeceware, some apps were not removed.

Why aren’t the platforms removing some apps?

With more than 20 million iOS developers registered on the App Store and thousands of new apps released monthly, monitoring all this is a tremendous job, even for Apple. Moreover, some fleeceware apps are redesigned web apps. So, their functionality directly depends on a remote content platform. Such apps can pose a risk since, to add malicious functionality, the developer only needs to make some changes remotely without touching the local code. This is a common tactic to bypass protection in official app stores. The only effective way to avoid becoming a victim of such applications is to be vigilant when installing the application, read the description carefully, and see what information the application asks for.

How to cancel the subscription?

There are two types of purchases in online app stores. The first is a one-time purchase. In this case, you pay once and permanently get the application or functionality. The app is added to your library, and you can at any time download it or restore the purchase (if it is an in-app purchase), and no additional fees are involved. The second method consists of a subscription to the app or feature. This means you rent the app or individual components for a recurring payment. However, by the logic of this system, if you subscribe to the app and then delete it, the subscription is not canceled.
Consequently, you will be charged even if you don’t use the app. Some apps offer monthly or weekly subscriptions and a one-time purchase. This is the best option for both the developer and the user.

To cancel your subscription on iOS, follow these steps:

1. Open the Settings app.
2. Tap your name.

3. Tap Subscriptions.
4. Tap subscriptions.
5. Tap Unsubscribe.

The subscription has already been canceled if there is no “Cancel” button or if you see an expiration message in red text.

To cancel your Android subscription, do the following:

1. Open your subscriptions in Google Play on your Android device.
2. Then select the subscription you want to cancel.
3. tap Unsubscribe.
4. Follow the instructions.

How to avoid fleeceware in future?

Since fleeceware does not harm your device, app stores are in no hurry to remove them. However, it hurts your wallet, so prevention is primarily for the user. The following tips will help you avoid these increasingly successful heist schemes.

• Beware of free trial subscriptions. Most fleece apps lure users with free three-day trials. However, you will be charged for the subscription without warning once the trial period expires.
• Scrutinize the terms of service carefully. Always read the information in the app profile carefully, including the terms and conditions and the in-app purchases section. This section usually lists all the paid features in the app, and the actual subscription cost is generally listed somewhere at the bottom of the page.
• Read more reviews. Often fleeceware creators try to flood the reviews section of their apps with fake reviews. You should flip through a few pages or sort through the reviews, and if the five-star reviews at the top are followed by reviews with one star, it’s probably fleeceware.
• Don’t be fooled by the ads. Scammers often promote their software through video ads, such as social media. However, sometimes these ads have nothing to do with promoted application.
• Improve your payment hygiene. Never use your primary card as a method of paying for subscriptions. Instead, create a separate or virtual card to keep as much money as your existing subscriptions need.
• Set a minimum online payment limit on your primary cards or disable it altogether. Also, set up an additional password or biometric verification when you pay. This will prevent unwanted subscription fees from going unnoticed.

The post ChatGPT Causes New Wave of Fleeceware appeared first on Gridinsoft Blog.

How do Hackers Get Your Apple ID?

Today’s digital world is rife with threats, and you can never be sure of your online safety. Hackers are developing new methods of accessing other people’s phones, this can be difficult to detect. Note that another method of hacking into your device is phishing.

It is not clear to everybody how the app for iPhone may contain spyware. To spread it, hackers use developer’s account tricks, disguising the spyware application as a game or program that is not in the app. The standard disguise is the hack of a paid game/program or some “unique” utility. Users find the ad for such an app somewhere online, follow the instructions, and install the third-party app not controlled by AppStore administration. Of course, not all programs installed in such a way are malicious, but it’s always risky.

In the case of phishing, the attacker tries to get our iCloud access data. To do that, they’ll send you fake e-mails on behalf of important companies. Attackers will also ask you to fill out forms and send them your confidential data, such as insurance numbers, passwords, and usernames. Additionally, phishing provides the distribution of external links through which to distribute malicious applications.

8 Warning Signs of Apple ID Compromising

As soon as hackers enter your device, you can replace their penetration. To do this, pay attention to such signs:

• Your Apple ID password is not working.
• Your device is locked or placed into “Lost Mode” while you did not lose it.
• You observe files, apps, photos, or messages that you don’t recognize stored in iCloud or anywhere on your device.
• You receive an Apple email stating that someone accessed your account from a new device.
• You have informed that your account’s email, phone number, or password was changed.
• You may receive receipts or documentation of unusual charges from the App Store or iTunes store.
• Your account information needs to be corrected. For example, a new name or address is used.
• You have informed that your account’s email or phone number altered.
• You have notified that your password changed.
• You may receive receipts or documentation of unusual charges from the App Store or iTunes store.
• Your account information needs a few corrects. For example, usage of new name or address.

What To Do If Your Apple Account Is Hacked

Your iPhone can affect more problems than you can imagine. Be vigilant and avoid unnecessary clicks, be it updates or websites. If you all have noticed some strange activity on your device, do the following steps to counteract.

• Log in to your Apple ID account page (appleid.apple.com). If you have trouble performing this or receive a notification that the account is disabled or locked, try resetting the account from your iPhone or any other Apple device, you’ve previously logged in on. To accomplish this, go to Settings, click on your profile on top, then go to Password & Security > Change Password. Here, follow the instructions to reset your password. You can also sign in to your Apple ID account from a new device by selecting “Forgot Apple ID or password?”.

• Next, change your Apple ID password, and choose a new, strong password. It could be more secure if your Password only contains letters, digits, and symbols. Consider using a password manager if you need more creativity to develop a password.

• Additionally, you should review all of your personal information. Check your name, primary Apple ID email, backup emails, and phone number. It’s necessary to ensure none of this was altered by the intruder. Otherwise, you will no longer be able to log in to your Apple ID and may lose all important files on your device.
• The most important security measure is to implement 2FA for your Apple ID. Two-factor authentication adds a layer of security that prevents access to your account even if your Password compromised. You’ll have to verify a second login credential with a PIN that you’ll receive via your mobile device or biometric identification. iPhones have a built-in 2FA authenticator. This can be increased in security by using the 2FA authenticator tool or a third-party 2FA app.

The post Was Your Apple ID Hacked? Here’s How To Secure Your Account appeared first on Gridinsoft Blog.

What is a calendar virus?

App calendar malware, also called Calendar Virus for iOS or iPhone calendar virus, is a kind of spam targeted on Apple devices, that adds fake subscribed calendar accounts to a user’s device without their consent. Affected devices could be iPads, Mac computers, Watches or iPhones. As a result of the spam, users receive notifications for “events” containing malicious links. Its effects are similar to what adware brings to the system it runs in. The terms “iPhone calendar spam” and “iOS calendar spam” refer to this Apple OS activity. This type of notification may contain disturbing headers to force you to follow the link. Here are examples of similar messages:

Virus on iPhone? Clean up now!

Ensure your online protection, click now!

Your phone is not protected! Click to protect

Keep your iPhone safe from malicious attacks!

Your iPhone is infected with a virus! delete it now

Some messages will arouse the user’s curiosity and sense of urgency. Usually, after a user follows something like this and clicks a link, it launches malicious sites or questionable software on his device. Alternatively, it can redirect the victim to phishing pages.

Where does the iPhone Calendar Virus come from?

After all the above characteristics, you probably wonder where fake invitations appear on the calendar. Like most other malware and viruses, calendar viruses are often spread through the same malicious sites as they advertise, or social engineering. So, how to get rid of the calendar virus? Here are some typical ways of being infected by that nasty thing:

1. Attackers have got hold of your email address.

If the attacker has your email address, it means that in the future, you will be a target of email spam. This happens after you enter your email address on unfamiliar websites to confirm something or to buy a product. Usually, such shady sites can sell your information to make money – and they don’t care about customers’ comfort. In rare cases, emails leak when companies suffer from data leaks.

2. You inadvertently clicked on a malicious link.

Some scam websites might use fake captcha puzzles to bypass site warnings and trick you into downloading malware. Alternatively, they can use disguised calendars as captchas to trick you into subscribing to them. If you’re in a hurry, clicking OK might be easier than selecting any other option.

3. Receiving a spam link by text message

After clicking on a spam text that directs you to “track a package”, you subscribe to a calendar full of appointments, like “critical threats” and similar warnings. One of these spam messages might request tracking information and provide a link for accessing the Calendar.

How to clear calendar virus iPhone

Apple products are linked within the ecosystem. Once you get spam on your iPhone calendar, it will also show up on your other Apple devices. The tips below should help you get rid of calendar spam on your iPhone, iPad, Mac, and anywhere else. But how to remove the iPhone calendar virus from all devices simultaneously?

For Newer iPhones:

• Go to Settings→Calendar→Accounts
• Find an account you don’t recognize and delete it. Calendar virus account name may be something like "Calendar Events", "Events Calendar", "Calendar Events Viewer", or similar.
• Delete all calendar accounts you don’t know.
• After removing, your event should be normalized.

For Older iPhones:

• Go to the Calendar app.
• Press Calendar at the bottom of the screen
• Find a calendar you need. Click the More info button next to it, then scroll down and click Delete Calendar.

Cleaning Calendar Virus From your Mac:

• Run Calendar (or iCal)
• Press Calendar in the menu bar and select Settings
• At the General tab, from the Default Calendar menu, select only the Calendar you want to use. Click “Save”.
• Make sure that calendars you do not want to recognize or use are not selected or saved. This will delete them.

Cleaning Calendar Virus from iCloud.com:

• Go to Calendar> Click the gear icon > Settings
• From the default menu, select only the Calendar you want to use. Opt for "Save"
• Make sure calendars you don’t know or don’t want to use are not selected or saved

How to stop iPhone calendar spam?

Successful counteraction requires proactive action and increased preparedness for the virus to be caught at any time you visit third-party sites. Therefore, below is a guide to reducing the risk of hacking your account.

1. Block pop-ups in Safari

You can enable warnings for fraudulent websites on your iPhone or iPad by going to Settings > Safari, then navigating to the Websites tab. On a Mac, you can access this functionality by navigating to Safari > Preferences. Inside the Preferences section, find the Security tab and toggle Fraudulent Websites Warnings. Keep in mind the security of your Safari web browser pages, this is important.

2. Be careful where you click.

Do not interact with fake calendar notifications; instead, delete them. Also, be wary of links and attachments in messages that indicate text or email with unknown content. And when encountering captchas, avoid tapping or clicking on them. For example, when responding to an appointment, it’s imperative not to click on any links or active sections of the message. Instead, respond by swiping from right to left and selecting Delete. Your iPhone may prompt you to Report Junk; if this happens, report the message by tapping Report Junk and then pressing Confirm.

3. Review and change your calendar settings

One of the best ways to reduce calendar spam is to block notifications. However, it’s also a good idea to make sure none of your devices are set to accept calendar invitations automatically. While this setting is convenient for busy people, it can be used as a loophole to inject unwanted spam into the Calendar. To change your calendar preferences:

• Sign in to your iCloud account and select Calendar
• Click the gear icon in the bottom left corner of the app screen and select Settings.
• Press at the Advanced tab.
• In the "Invitation" subsection, click the radio button next to the "Send an email to [your email address]" option to make this your default instead of "In-App Notifications."

The post Calendar Virus Removal on iPhones & Mac appeared first on Gridinsoft Blog.

ZecOps has developed a new method to simulate restarting or shutting down the iPhone and thereby prevent the removal of malware from it, with which hackers can secretly track the victim through the microphone and phone camera.

As a rule, in order to remove malware from an iOS device, simply restart it. The method developed by ZecOps specialists allows to intercept the process of reboots and shutdowns and make it so that they never happen. This way the malware gains persistence on the system as it never actually shuts down.

To restart iPhone, user needs to press and hold the power button or volume control until a slider appears with the option to restart. Then he should wait 30 seconds for the process to complete.

When the iPhone is turned off, the screen goes blank, the camera turns off, the long press does not respond, the ringtone and notification sounds fade and there is no vibration. ZecOps has developed a PoC Trojan capable of injecting special code into three iOS daemons to simulate shutdown by disabling all of these indicators.

The Trojan interrupts the shutdown event by intercepting the signal from the SpringBoard application that is responsible for interacting with the user interface. Instead of the expected signal, the Trojan sends a code that forcibly terminates SpingBoard, causing the device to stop responding to user actions. It looks like the iPhone is turned off.

The BackBoardd daemon, which logs physical button presses and timestamped screen touches, is then instructed to display a spinning wheel to indicate that the device is turned off. The user thinks that the iPhone has turned off, releases the button ahead of time, and the actual shutdown process never starts.

The video below shows the NoReboot attack in action. Judging by the video, with its help you can very easily convince the victim that her phone is turned off.

You might also be interested to know that Cybersecurity expert created an exploit to hack iPhone via Wi-Fi, and that Vulnerabilities allowed access to cameras on Mac, iPhone and iPad.

The post Spy method NoReboot allows simulating iPhone shutdown and prying through the camera appeared first on Gridinsoft Blog.

As the Forbes reports, private messages sent via iMessage and WhatsApp on iPhone are not secure when using factory settings.

While encrypted apps like iMessage and WhatsApp keep messages on the device completely safe, a vulnerability in Apple’s iCloud backup system puts them at risk, and unauthorized people can access messages. This is possible as Apple stores message encryption keys in iCloud backups, which undermines the main security features that protect iMessage.

Apple states in its security policies: “End-to-end encryption protects iMessage conversations on all your devices, so Apple cannot read your messages as they are transfered between devices.”
This means that while messages are completely secured in transit between phones, they don’t have to be secured on the device or in the cloud.

Apple has come under a lot of pressure recently after an internal FBI document was released proving that the bureau regularly accesses messages on nine secure messengers, including iMessage and WhatsApp.

To keep their messages safe, users can turn off iCloud backups.

Apple also urgently needs to change its approach to iCloud to stop storing encryption keys and avoid backing up encrypted data.

The post Vulnerability in Apple iCloud puts billion users at risk appeared first on Gridinsoft Blog.

Their research was published by the University of Birmingham and the University of Surrey, who found that the iPhone can confirm almost any transaction under certain conditions. Typically, for the payment to go through, the iPhone user needs to unlock the device using Face ID, Touch ID, or a passcode. However, in some cases this is inconvenient, for example, when paying for public transport fares. For such cases, Apple Pay provides Express Transit, which allows making transactions without unlocking the device.

Express Transit, for example, works with transport turnstiles and card readers that send a non-standard byte sequence bypassing the Apple Pay lock screen. The researchers say that in combination with a Visa card, “this feature can be used to bypass the Apple Pay lock screen and make illegal payments from a locked iPhone, using any EMV reader, for any amount and without user authorization.”

For example, experts were able to simulate a transaction at the turnstile using a Proxmark device that acts as a card reader, which communicated with the target iPhone, as well as an Android smartphone with NFC, which communicated with the payment terminal.

In essence, this method is a replay and relay MitM attack in which Proxmark plays back iPhone magic bytes to trick the device into believing it is a transaction at the turnstile, so no user authentication is required to authorize the payment.

Digging deeper into the problem, the researchers found they could change the Card Transaction Qualifiers (CTQ), which are responsible for setting limits for contactless transactions. Thus, it was possible to trick the card reader so that the authentication on the mobile device was successfully completed.

As a result of the experiments, the researchers were able to make a transaction of £1000 from a locked iPhone, and successfully tested such an attack on the iPhone 7 and iPhone 12.

At the same time, it is noted that the tests were successful only with iPhone and Visa cards (in the case of Mastercard, a check is performed to make sure that the locked iPhone carries out transactions only with card readers, for example, in transport). By examining Samsung Pay, the researchers concluded that transactions with locked Samsung devices are possible, but the value is always zero, and transportation providers charge tolls based on the data associated with these transactions.

Experts say that they submitted their findings to Apple and Visa engineers in October 2020 and May 2021, but the company still has not fixed the problem.

Visa officials told Bleeping Computer the following:

Let me remind you that I reported that Scientists have developed an attack that allows not to enter a PIN code while paying with Visa cards.

The post Experts showed fraudulent payments from a locked iPhone with Apple Pay and a Visa card appeared first on Gridinsoft Blog.

The underlying critical vulnerability CVE-2020-3843, discovered by the researcher, made it possible to remotely steal sensitive data from any device in the Wi-Fi hotspot without any user’s interaction.

The exploit, which Bier worked on alone for six months, allows “to view all photos, read all e-mail, copy all private messages and track everything that happens [on the device] in real time.”

Since Apple engineers fixed the problem back in the spring of this year (within the framework of iOS 13.3.1, macOS Catalina 10.15.3 and watchOS 5.3.7), and the researcher has now disclosed details of the problem and even demonstrated an attack in action.

The video below shows how, using an iPhone 11 Pro, Raspberry Pi, and two Wi-Fi adapters, the researcher were capable of remotely reading and writing of random kernel memory. Beer used all of this to inject shellcode into kernel memory through exploiting the victim process, escaping the sandbox, and retrieving user data.

Essentially, a potential attacker needed to attack the AirDrop BTLE infrastructure in order to enable the AWDL interface. This was done through brute-force hash values of the contact (after all, usually users provide AirDrop with access only to their contacts), and then an AWDL buffer overflow.

As a result, it was possible to gain access to the device and run malware with root privileges, which gave the attacker complete control over the user’s personal data, including email, photos, messages, iCloud data, as well as passwords and cryptographic keys from the Keychain, and much more.

Even worse, such an exploit could have the potential of a worm, that is, it could spread from one device to another “by air” and again without user intervention.

Beer notes that this vulnerability was not exploited by cybercriminals, but the hacking community and “exploit vendors seem to be interested in the released fixes.”

I also wrote that Researcher remotely hacked iPhone using only one vulnerability.

And always remember that US authorities can hack the iPhone, but may have difficulties with Android.

The post Cybersecurity expert created an exploit to hack iPhone via Wi-Fi appeared first on Gridinsoft Blog.

So, in March, ESET experts wrote that they tested and confirmed the problem for iPhone, iPad, Mac, Amazon Echo and Kindle, Google Nexus, Samsung Galaxy, Xiaomi Redmi, Raspberry Pi 3, as well as for Wi-Fi routers from Asus and Huawei. In total, the Kr00k vulnerability was thought to threaten about a billion different gadgets.

“The Kr00k problem is associated with encryption, which is used to protect data packets transmitted over Wi-Fi. Typically, such packets are encrypted with a unique key, which depends on the Wi-Fi password, which established the user. However, for vulnerable chips, this key is reset to zero in case of the disassociation process, for example a temporary shutdown, which usually occurs due to a bad signal”, – told ESET researchers.

Thus, attackers can provoke the transition of the device into a long dissociation state and receive Wi-Fi packets intended for it. Then, by exploiting the Kr00k bug, attackers can decrypt Wi-Fi traffic using a “zero” key.

Following the release of ESET’s February report, Broadcom and Cypress engineers have released fixes for their products.

However, ESET experts have now warned that the chips from Qualcomm and MediaTek are vulnerable to similar flaws.

In the case of Qualcomm, the vulnerability received the identifier CVE-2020-3702, and using this bug, an attacker (after dissociation) can get access to confidential data.

“The difference with the attack described above is that the data captured in this case is not encrypted at all, while exploiting the original Kr00k problem at least requires the use of a “zero” key”, – said the experts.

Researchers tested this vulnerability using the D-Link DCH-G020 Smart Home Hub and Turris Omnia wireless router as examples. However, any other devices that use vulnerable Qualcomm chips, can be also affected by the new issue.

Qualcomm released a patch for its proprietary driver in July 2020, but the situation is complicated by the fact that some vulnerable devices are using open source Linux drivers, and it is unclear if the problem will be fixed there. Qualcomm said they have already provided OEMs with all the necessary instructions, and users can only wait for the release of patches from specific manufacturers.

In addition, ESET experts found that MediaTek chips, which are widely used in Asus routers, as well as in the Microsoft Azure Sphere development kit, also do not use encryption at all.

“Azure Sphere uses the MediaTek MT3620 microcontroller and targets a wide variety of IoT applications, including smart homes, commercial, industrial and many other sectors”, — write the researchers.

MediaTek released fixes for this issue in March and April, and Azure Sphere received patches in July 2020.

Amid release of a number of exploits for the original Kr00k vulnerability, the researchers have published a special script that will help to find out if the device is vulnerable to the original Kr00k or new variations of this attack.

The post Kr00k problem threatens devices with Qualcomm and MediaTek Wi-Fi chips appeared first on Gridinsoft Blog.

A “text bomb” will affect the operation of the device, even if the user simply received a notification from Messages or WhatsApp, or from social networks (for example, Twitter). That is, the problem can affect thousands of people.

After receiving such a malicious notification, the device freezes, sometimes stops responding at all, and eventually crashes.

“The string of text, which we aren’t going to share here, includes the Italian flag emoji and characters in the Sindhi language. When an iPhone, iPad, Mac, or Apple Watch receives a notification with this text string, things get wonky. Sometimes, your device will crash, while other times it completely stops responding to touch input, and much more”, — report 9to5Mac magazine journalists.

According to 9to5Mac, now malfunctioning characters are increasingly spreading on Twitter and other social networks, and for the first time they were published on an unnamed channel or group in Telegram.

“Details of where this text string originated are somewhat unclear, but the original source seems to have been a Telegram group. It’s now going viral on Twitter and other social media platforms, though, so it’s worth being aware of it. It can spread through theoretically any application, including Twitter, Messages, and more…”, — said in 9to5Mac.

Initially, it was reported that in order to provoke a failure, the notification should contain emoji of the Italian flag, as well as Sindhi symbols. However, the well-known blogger EverythingApplePro demonstrated that the Italian flag is not necessary for this.

Since there is no fix yet, and it is unclear when Apple will release the patch, users are advised to temporarily turn off notifications.

Let me remind you that this is not the first bug of this kind. For example, in 2018, iOS users suffered from a similar error related to the Telugu language symbol, common in the Indian states of Andhra Pradesh and Tellingan. Then all these applications reacted to the problematic symbol (జ్ఞా), like to the classic “text bomb”, that is, they “hung up” and went into an endless cycle of reboots.

And recently for iOS was discovered a new exploit, with the help of which China traced the Uyghurs.

The post Sindhi Language Symbols Disable iPhone and iPad appeared first on Gridinsoft Blog.

In total, Picren discovered seven vulnerabilities in the Apple browser and the Webkit browser engine (CVE-2020-3852, CVE-2020-3864, CVE-2020-3865, CVE-2020-3885, CVE-2020-3887, CVE-2020-9784 , CVE-2020-9787), three of which can be linked together and used to track users through the camera and microphone on an iPhone, iPad or Mac.

For such an attack, just a little is required: for the victim to enter a malicious site. No other interaction is required, and a malicious site can pretend to be a popular legitimate resource and abuse the permissions that the victim would grant only to a trusted domain.

“If a malicious site needs to access the camera, all that it needs to mask itself as a reliable site for video conferencing, such as Skype or Zoom”, — the researcher notes.

Corrections for bugs found by the specialist were released as part of Safari 13.0.5 (release dated January 28, 2020) and Safari 13.1 (release dated March 24, 2020).

Picren explains that Safari creates access to devices that require specific permissions (such as camera, microphone, location, and so on) for each individual site. This allows individual sites, such as the official Skype site, to access the camera without asking for user permission with each start.

In iOS, there are exceptions to this rule: if third-party applications must require user’s consent to access the camera, then Safari can access the camera or photo gallery without any permissions.

Exploitation of the problems became possible due to the way the browser parses URL schemes and processes the security settings for each site. In this case, the researcher’s method works only with sites already open in the browser.

“The most important fact is that the URL scheme is completely ignored,” the expert writes. – This is a problem, as some schemes do not contain a meaningful host name at all, for example file:, javascript: or data:. Simply, the error makes Safari think that the malicious site is actually trusted one. This is due to exploitation of a number of shortcomings (how the browser parses the URI, manages the web origin and initializes the secure context).”

In fact, Safari cannot verify that the sites adhered to Same Origin policies, thereby granting access to another site that should not have been granted permission at all. As a result, the site https://example.com and its malicious counterpart fake://example.com may have the same permissions. Therefore, you can use file: URI (for example, file:///path/to/file/index.html) to trick the browser and change the domain using JavaScript.

“Safari believes we are on skype.com and I can download some kind of malicious JavaScript. Camera, Screen Sharing microphone will be compromised after opening my local HTML file”, — Ryan Pickren writes.

Similarly works the blob URL: (for example, blob://skype.com) can be used to run arbitrary JavaScript code, using it to directly access the victim’s webcam without permission.

Even worse, the study showed that unencrypted passwords can be stolen in the same way, since Safari uses the same approach to detect sites that require automatic password completion.

PoC exploits and a demonstration of the attacks described are available on the specialist blog.

I should also remind you that recently researcher remotely hacked iPhone using only one vulnerability.

The post Vulnerabilities allowed access to cameras on Mac, iPhone and iPad appeared first on Gridinsoft Blog.