Gadgets are susceptible to a stored XSS vulnerability. Rauch has revealed the issue, although the patch is not yet available, as he was disappointed in Apple’s bug bounty program.

The root of the vulnerability lies in the fact that when an AirTag user turns on “lost mode”, that is, he cannot find his item, he can add his phone number and a custom message that will be displayed to anyone who finds and scans the AirTag using any device with NFC support.

Rauch noticed that the unique page created on found.apple.com for each AirTag is prone to stored XSS and the problem could be exploited by inserting malicious data into the phone number field.

The researcher describes the following attack scenario: an attacker turns on the “loss mode” for his own AirTag and intercepts the request associated with this operation. Then he enters malicious data into the phone number field.

After that, the attacker can only drop the AirTag device in the place where his target (or a bystander, if the attack is opportunistic) will find the key fob and scan it. After scanning such an AirTag, a malicious payload will be launched immediately.

Rauch demonstrated such an attack by injecting a payload that redirects the victim to a phishing page that mimics iCloud. Since we are talking about an Apple product, the iCloud login page may not raise suspicion from the victim, although, in fact, no credentials need to be provided when scanning the found AirTag.

In a similar way, a criminal can lure his victim to any other site, including one that distributes malware, or create another payload, which, for example. will intercept session tokens and clicks.

Rauch also notes that it is possible to use a malicious link to found.apple.com on its own by sending it directly to your target. In this case, the payload will be launched after accessing the link, and there will not even be a need to scan the AirTag.

Rauch told the well-known cybersecurity journalist Brian Krebs that he notified Apple of the problem on June 20, 2021, but the company reacted very slowly, constantly sending replies that specialists were studying the bug. Apple also refused to answer the expert’s questions about the possible reward for the detected error. As a result, Rauch was completely disappointed in Apple’s bug bounty and decided to publish the details of the vulnerability in the public domain.

Let me remind you that recently another information security specialist disclosed the details of bypassing the lock screen in iOS, and also wrote that this is a kind of revenge to Apple for the fact that earlier in 2021 the company downplayed the significance of similar problems of bypassing the lock screen, which he reported. Shortly thereafter, a researcher known by the nickname Illusion of Chaos published detailed descriptions and exploits for three 0-day vulnerabilities in iOS. He explained that he had reported these issues to Apple at the beginning of the year, but the company has never released any patches.

The Washington Post devoted a long article to this problem, in which many cybersecurity specialists talked about the same problems and argued that the company has never left their bug reports unattended for months, released ineffective patches, understated the size of rewards and generally prohibited researchers from participating in the bug bounty further, if they started to complain.

Let me also remind you that I wrote that Experts showed fraudulent payments from a locked iPhone with Apple Pay and a Visa card.

The post Users can be lured to a malicious site through a vulnerability in Apple AirTag appeared first on Gridinsoft Blog.

In total, Picren discovered seven vulnerabilities in the Apple browser and the Webkit browser engine (CVE-2020-3852, CVE-2020-3864, CVE-2020-3865, CVE-2020-3885, CVE-2020-3887, CVE-2020-9784 , CVE-2020-9787), three of which can be linked together and used to track users through the camera and microphone on an iPhone, iPad or Mac.

For such an attack, just a little is required: for the victim to enter a malicious site. No other interaction is required, and a malicious site can pretend to be a popular legitimate resource and abuse the permissions that the victim would grant only to a trusted domain.

“If a malicious site needs to access the camera, all that it needs to mask itself as a reliable site for video conferencing, such as Skype or Zoom”, — the researcher notes.

Corrections for bugs found by the specialist were released as part of Safari 13.0.5 (release dated January 28, 2020) and Safari 13.1 (release dated March 24, 2020).

Picren explains that Safari creates access to devices that require specific permissions (such as camera, microphone, location, and so on) for each individual site. This allows individual sites, such as the official Skype site, to access the camera without asking for user permission with each start.

In iOS, there are exceptions to this rule: if third-party applications must require user’s consent to access the camera, then Safari can access the camera or photo gallery without any permissions.

Exploitation of the problems became possible due to the way the browser parses URL schemes and processes the security settings for each site. In this case, the researcher’s method works only with sites already open in the browser.

“The most important fact is that the URL scheme is completely ignored,” the expert writes. – This is a problem, as some schemes do not contain a meaningful host name at all, for example file:, javascript: or data:. Simply, the error makes Safari think that the malicious site is actually trusted one. This is due to exploitation of a number of shortcomings (how the browser parses the URI, manages the web origin and initializes the secure context).”

In fact, Safari cannot verify that the sites adhered to Same Origin policies, thereby granting access to another site that should not have been granted permission at all. As a result, the site https://example.com and its malicious counterpart fake://example.com may have the same permissions. Therefore, you can use file: URI (for example, file:///path/to/file/index.html) to trick the browser and change the domain using JavaScript.

“Safari believes we are on skype.com and I can download some kind of malicious JavaScript. Camera, Screen Sharing microphone will be compromised after opening my local HTML file”, — Ryan Pickren writes.

Similarly works the blob URL: (for example, blob://skype.com) can be used to run arbitrary JavaScript code, using it to directly access the victim’s webcam without permission.

Even worse, the study showed that unencrypted passwords can be stolen in the same way, since Safari uses the same approach to detect sites that require automatic password completion.

PoC exploits and a demonstration of the attacks described are available on the specialist blog.

I should also remind you that recently researcher remotely hacked iPhone using only one vulnerability.

The post Vulnerabilities allowed access to cameras on Mac, iPhone and iPad appeared first on Gridinsoft Blog.