Safari flaw let intruders hijack cameras on iPhones and Macs

Jon Fingas
Associate Editor
Devindra Hardawar/Engadget

If you're working on a Mac at home or reconnecting with friends on an iPhone, you'll want to be sure you have the latest security updates. Security researcher Ryan Pickren has detailed recently patched Safari vulnerabilities that allowed intruders to hijack the cameras and microphones on iOS and macOS devices. A maliciously crafted website could trick Safari into believing the page had the same camera and mic permissions as one you'd already cleared, such as Skype. The attacker just needed a combination of specially-made web addresses with scripts to perform a "bait-and-switch."

If successful, the perpetrator could quietly capture audio and video and eavesdrop on victims. That could be a particularly serious issue when many are relying on webcams for remote meetings and classes during the COVID-19 pandemic.

Apple fixed the issues relatively quickly after their initial disclosure in December, with patches following in January and March. Pickren noted to Wired that some of the patches touched on "really, really old" bugs in WebKit, though, and they were coming to the forefront because of how hackers might use them in the modern era. In other words, iOS and Mac users may have dodged attacks simply because crooks and creeps weren't looking for these kinds of exploits until relatively recently.