Apple Paid Hacker $75,000 for Uncovering Zero-Day Camera Exploits in Safari

Apple paid out $75,000 to a hacker for identifying multiple zero-day vulnerabilities in its software, some of which could be used to hijack the camera on a MacBook or an iPhone, according to Forbes.


A zero-day vulnerability refers to a security hole in software that is unknown to the software developer and the public, although it may already be known by attackers who are quietly exploiting it.

Security researcher Ryan Pickren reportedly discovered the vulnerabilities in Safari after he decided to "hammer the browser with obscure corner cases" until it started showing weird behavior.

The bug hunter found seven exploits in all. The vulnerabilities involved the way that Safari parsed Uniform Resource Identifiers, managed web origins and initialized secure contexts, and three of them allowed him to get access to the camera by tricking the user to visit a malicious website.
"A bug like this shows why users should never feel totally confident that their camera is secure," Pickren said, "regardless of operating system or manufacturer."
Pickren reported his research through Apple's Bug Bounty Program in December 2019. Apple validated all seven bugs immediately and shipped a fix for the camera kill chain a few weeks later. The camera exploit was patched with in Safari 13.0.5, released January 28. The remaining zero-day vulnerabilities, which Apple judged to be less severe, were patched in Safari 13.1, released on March 24.

Apple opened its bug bounty program to all security researchers in December 2019. Prior to that, Apple's bug bounty program was invitation-based and non-iOS devices were not included. Apple also increased the maximum size of the bounty from $200,000 per exploit to $1 million depending on the nature of the security flaw.

When submitting reports, researchers must include a detailed description of the issue, an explanation of the state of the system when the exploit works, and enough information for Apple to reliably reproduce the issue.

This year, Apple plans to provide vetted and trusted security researchers and hackers with "dev" iPhones, or special iPhones that provide deeper access to the underlying software and operating system that will make it easier for vulnerabilities to be discovered.

These iPhones are being provided as part of Apple's forthcoming iOS Security Research Device Program, which aims to encourage additional security researchers to disclose vulnerabilities, ultimately leading to more secure devices for consumers.
This article, "Apple Paid Hacker $75,000 for Uncovering Zero-Day Camera Exploits in Safari" first appeared on MacRumors.com

Discuss this article in our forums

Safari in New Versions of iOS and macOS Includes Full Third-Party Cookie Blocking

Safari in macOS 10.15.4 and iOS and iPadOS 13.4 includes enhancements to Apple's Intelligent Tracking Prevention feature that allow for full third-party cookie blocking, Apple's WebKit team said today in a new blog post.

Cookies for cross-site resources are blocked by default in the new versions of Safari, introducing significant privacy improvements because it further cuts down on cross-site tracking functionality.
It might seem like a bigger change than it is. But we've added so many restrictions to ITP since its initial release in 2017 that we are now at a place where most third-party cookies are already blocked in Safari. To keep supporting cross-site integration, we shipped the Storage Access API two years ago to provide the means for authenticated embeds to get cookie access with mandatory user control. It is going through the standards process in the W3C Privacy Community Group right now.
The new cookie blocking feature makes sure there's no Intelligent Tracking Prevention state that can be detected through cookie blocking behavior as it removes statefulness, and it also prevents an attacker from seeing ITP status.
Safari's default cookie policy requires a third-party to have "seeded" its cookie jar as first-party before it can use cookies as third-party. This means the absence of cookies in a third-party request can be due to ITP blocking existing cookies or the default cookie policy blocking cookies because the user never visited the website, the website's cookies have expired, or because the user or ITP has explicitly deleted the website's cookies.

Thus, the absence of cookies in a third-party request outside the attacker's control is not proof that the third-party domain is classified by ITP.
Safari is the first mainstream browser to fully block third-party cookies by default, and Apple's WebKit team wants to pave the way for other browsers to do the same, so it plans to report on the experiences of full third-party cookie blocking to W3C privacy groups in an effort to help other browsers make the change as well.

More info on the changes implemented in Safari for iOS, ‌iPadOS‌, and macOS today can be found in the full blog post.
Tag: Safari

This article, "Safari in New Versions of iOS and macOS Includes Full Third-Party Cookie Blocking" first appeared on MacRumors.com

Discuss this article in our forums

Apple Likely to Drop Adobe Flash Support in Next Version of Safari

As noted in our coverage yesterday of the latest Safari Technology Preview 99, Apple has removed all support for Adobe Flash. Safari Technology Preview is basically a beta of the next version of Safari proper, all but confirming that Apple is officially ditching support for Flash in the next version of its native Mac browser.


This means that when the next version of Safari is released, users will no longer be able to install or use Adobe Flash in the browser. The elimination of Flash support should not heavily impact users, given that most other popular browsers have already moved away from the format. Likewise, iPhone and iPad users won't be affected because Apple's mobile operating system has never supported Flash.

It was way back in July 2017 that Adobe announced plans to end-of-life its Flash browser plug-in. Adobe said it was ceasing development and distribution of the software at the end of 2020, and encouraged content creators to migrate flash content to HTML5, WebGL, and WebAssembly formats.

Adobe's Flash Player has always suffered from a seemingly never-ending stream of critical vulnerabilities that have exposed Mac and PC users to malware and other security risks. Vendors like Microsoft and Apple have had to work continually over the years to keep up with security fixes. Apple went so far as to stop selling Macs with Flash pre-installed, to ensure they weren't being shipped with outdated versions of the software and putting users at risk.

Some readers may fondly recall Steve Jobs' famous 2010 open letter offering his "Thoughts on Flash," in which the former Apple CEO railed against Adobe's software for its poor reliability, lack of openness, incompatibility with mobile sites and battery drain on mobile devices. Jobs also criticized Adobe for being "painfully slow" to adopt enhancements to Apple's platforms, and said that Apple refused to be at the mercy of a cross-platform development tool when it came innovation.

We don't know when the next version of Safari browser for Mac will be released to the public. In any case, it's safe to say that Flash will not be missed.


This article, "Apple Likely to Drop Adobe Flash Support in Next Version of Safari" first appeared on MacRumors.com

Discuss this article in our forums

Flaws in Apple’s Intelligent Tracking Prevention Safari Feature Let People Be Tracked

Google researchers discovered multiple security flaws in Apple's Safari web browser that let users' browsing habits be tracked despite Apple's Intelligent Tracking Prevention feature.

Google plans to publish details on the security flaws in the near future, and a preview of Google's discovery was seen by Financial Times, with the publication sharing information on the vulnerabilities this morning.

The security flaws were first found by Google in the summer of 2019, and were disclosed to Apple in August. There were five types of potential attacks that could allow third parties to learn "sensitive private information about the user's browsing habits."

Google researchers say that Safari left personal data exposed because the Intelligent Tracking Prevention List "implicitly stores information about the websites visited by the user." Malicious entities could use these flaws to create a "persistent fingerprint" that would follow a user around the web or see what individual users were searching for on search engine pages.

Intelligent Tracking Prevention, which Apple began implementing in 2017, is a privacy-focused feature meant to make it harder for sites to track users across the web, preventing browsing profiles and histories from being created.

Lukasz Olejnik, a security researcher who saw Google's paper, said that if exploited, the vulnerabilities "would allow unsanctioned and uncontrollable user tracking." Olejnik said that such privacy vulnerabilities are rare, and "issues in mechanisms designed to improve privacy are unexpected and highly counter-intuitive."

Apple appears to have addressed these Safari security flaws in a December update, based on a release update that thanked Google for its "responsible disclosure practice," though full security credit has not yet been provided by Apple so there's a chance that there's still some behind-the-scenes fixing to be done.

Tags: Google, Safari

This article, "Flaws in Apple's Intelligent Tracking Prevention Safari Feature Let People Be Tracked" first appeared on MacRumors.com

Discuss this article in our forums

10 Long Press Tips to Reveal Hidden Functions in Safari on iPhone and iPad

On iPhone and iPad, a long press (also known as a press-and-hold) gesture will often initiate a different action in an app that isn't immediately obvious, such as revealing an icon's contextual menu. On recent iPhones, a long press will sometimes also offer haptic feedback in the form of a vibration, which Apple calls Haptic Touch.

Apple has made extensive use of the long press gesture and ‌Haptic Touch‌ in its apps, which means if you don't tend to long press screen elements, you could be unaware of some convenient shortcuts to everyday actions, or you could even be missing out on app functionality altogether.

Subscribe to the MacRumors YouTube channel for more videos.

This is particularly true for Safari, Apple's native mobile browser, which has several handy features that can be accessed with a long press. In this article, we've put together 10 of our favorite long press tips for Safari on iPhones and iPads running iOS 13.

Note that the default minimum period that a finger must press on the screen for the long gesture to be recognized is half a second. If you're having trouble performing a long press, open the Settings app, go to Accessibility -> ‌Haptic Touch‌, and try selecting a Fast or Slow touch duration. There's also a handy interactive demo area for you to test each setting.

1. Bookmark Multiple Tabs in One Go


Make sure you have a few tabs open in Safari that you want to reference at a later time. Now, select one of those tabs, and in the main browsing window, long press the Bookmark icon (it looks like an open book).

safari tabs
A popup menu will appear on the screen that includes options to Add to Reading List and Add Bookmarks for X Tabs, X being the number of tabs open. Once you've tapped the latter option, you'll be asked to save the tabs in a new bookmarks folder. Alternately, you can choose an existing folder in which to save the tabs.

2. Bulk Copy Links in a Bookmarks Folder


Following on from the last tip, if you long press on a bookmarks folder in Safari, you'll see a Copy Contents option pop up in the contextual menu.

safari
Selecting this will copy a list of every website URL in that folder to your clipboard, allowing you to paste it elsewhere for easy sharing.

3. Fast Scroll Web Pages


A scroll bar appears on the right-hand side of the Safari window whenever you swipe to navigate a web page.

safari
If the content you're viewing is long, perform a long press on the scroll bar. The bar will swell slightly and you'll be able to drag it up and down and scroll at a much faster rate.

4. Close All Open Tabs


If the number of active tabs has gotten out of hand in your browser session, long press the Tabs icon in the bottom-right corner (top-right on ‌iPad‌) of the web page view to reveal the Close All Tabs option.

safari tabs
If you're in the vertical tabs view, you can reveal the same option by long pressing the Done button, which appears in the same location.

In ‌iOS 13‌, you‌ can actually get Safari to close tabs on your behalf, based on when you last viewed them. Launch the Settings app and select Safari -> Close Tabs, and you'll find options to make the browser automatically close tabs that have not been viewed After One Day, After One Week, or After One Month.

5. Re-open Recently Closed Tabs


If you've accidentally closed a browser tab in Safari and want to open it back up, open up the Tabs view and long press on the "+" icon to get a look at all of the tabs that you've recently closed.

safari
It's worth remembering that this long press option exists, because if someone gets ahold of your phone and checks your browser, even if you've closed out a tab, it's still going to be accessible in Safari, unless you were using a private browser window or have cleared your browsing history.

6. Open All Bookmarks in a Folder in New Tabs


This option appears in the same contextual menu described in tip 2. Long press a bookmarks folder and you'll see an option to Open in New Tabs.


Select the option, and Safari will open everything in that folder in separate tabs, ready for perusal.

7. Preview a Favorite Site or Hyperlink


If you want to take a peek at what a specific web page hyperlink has to offer before actually visiting the site, long press the link to get a preview of it. Note that you can also perform this action on the Favorites or Frequently Visited sites that appear in the start page of a new tab.

safari
If, say, you just want to copy a URL and would rather not have to wait for the preview to load every time you long press on one, simply tap Hide preview at the top-right corner of a link preview, and you won't get one again.

You can revert this functionality on the same long press screen at any time by selecting Tap to show preview.

8. Merge All Safari Windows


This one is exclusively for ‌iPad‌ users running iPadOS. If you have multiple browser windows open in the background, you can tidy things up by merging all of them, including their tabs, into the active browser window.

safari
Simply tap and hold the Tabs icon in the top-right corner of the screen and select Merge All Windows.

9. Download a Linked File


Now that now Safari has a Downloads Manager, you can download files directly from hyperlinks. Simply tap and hold a linked file, then select Download Linked File from the contextual menu. You can tap the Downloads Manager icon in the top-right corner of the address bar to check on its progress.

safari
This option works for web pages, too. If you long press the headline of this article, for example, you can download an HTML version of it.

10. Access the Tab Control Panel


Another one that's just for Safari on ‌iPad‌. Next time you have multiple tabs open, tap and hold one of those tabs to access the new tab control panel.

safari
From this panel, you'll see options to copy the URL of the tab to the clipboard, close all other tabs, and two entirely new options allowing you to Arrange Tabs By Title or Arrange Tabs By Website. Select one of the latter two options, and your open tabs will be arranged alphabetically.


This article, "10 Long Press Tips to Reveal Hidden Functions in Safari on iPhone and iPad" first appeared on MacRumors.com

Discuss this article in our forums

Pwn2Own Hacking Competition Returns in March, Up to $130,000 in Prizes Available for Safari Vulnerabilities

Trend Micro today announced that its annual Pwn2Own hacking competition will be held March 18-20 in Vancouver, Canada.


Pwn2Own, part of the CanSecWest conference, tasks security researchers with uncovering vulnerabilities in operating systems, web browsers, and more, ranging from macOS and Windows to Safari and Chrome.

This year, two prizes will be available for Safari on macOS, including $60,000 for a sandbox escape and $70,000 for a kernel-level escalation of privileges.

There is also up to a $500,000 prize for Tesla Model 3 vulnerabilities.

Last year at Pwn2Own, at least two zero-day security vulnerabilities were discovered in Safari on macOS. All exploits achieved during the contest are reported to the necessary companies like Apple so that they can be patched.


This article, "Pwn2Own Hacking Competition Returns in March, Up to $130,000 in Prizes Available for Safari Vulnerabilities" first appeared on MacRumors.com

Discuss this article in our forums

DuckDuckGo’s Safari Privacy Browser Extension Now Available for macOS Catalina

Privacy oriented search engine DuckDuckGo today released an updated version of its browser extension for desktop Safari users running macOS Catalina.


The launch comes after DuckDuckGo Privacy Essentials had to be removed from the Safari extensions gallery following major changes introduced in Safari 12 that made the extension incompatible. From the DuckDuckGo website:
As you may be aware, major structural changes in Safari 12 meant that we had to remove DuckDuckGo Privacy Essentials from the Safari extensions gallery. With Safari 13, new functionality was thankfully added that enabled us to put it back. Consequently, you'll need Safari 13+ on macOS 10.15 (Catalina) or newer to install the updated version.
DuckDuckGo Privacy Essentials blocks hidden third-party trackers on websites and features a Privacy Dashboard, which generates a Privacy Grade rating (A-F) information card whenever a user visits a site. The rating aims to let them see at a glance how protected they are, while providing additional options to dig deeper into the details of blocked tracking attempts.

While the extension doesn't include private search, DuckDuckGo Search is built into Safari as a default search option, and they work together to help users search and browse privately.

DuckDuckGo Privacy Essentials is only available for desktop browsers, however DuckDuckGo Privacy Browser is available for iOS and uses the same privacy protection technology.


This article, "DuckDuckGo's Safari Privacy Browser Extension Now Available for macOS Catalina" first appeared on MacRumors.com

Discuss this article in our forums

Apple Clarifies Tencent’s Role in Fraudulent Website Warnings, Says No URL Data is Shared and Checks are Limited to Mainland China

Following user concern over Apple using Chinese company Tencent as one of its Safe Browsing partners for Safari, Apple has issued a statement assuring customers that website URLs are not shared with its safe browsing partners.

For those unfamiliar with the feature, Safari sends data to Google Safe Browsing to cross reference URLs against a blacklist to protect users against scams and malicious sites. It recently came to light that Apple is also using Tencent for this purpose, and there was concern that data from users outside of China was being sent to Tencent.


According to Apple's statement, that is not the case, and Tencent is used for devices that have their region code set to mainland China. Users in the United States, the UK, and other countries do not have their website browsing checked against Tencent's safe list.
Apple protects user privacy and safeguards your data with Safari Fraudulent Website Warning, a security feature that flags websites known to be malicious in nature. When the feature is enabled, Safari checks the website URL against lists of known websites and displays a warning if the URL the user is visiting is suspected of fraudulent conduct like phishing.

To accomplish this task, Safari receives a list of websites known to be malicious from Google, and for devices with their region code set to mainland China, it receives a list from Tencent. The actual URL of a website you visit is never shared with a safe browsing provider and the feature can be turned off.
Safari occasionally receives a list of hash prefixes of URLs known to be malicious from Google or Tencent, choosing between them based on the device's region setting (Tencent for China, Google for other countries). Hash prefixes are the same across multiple URLs, which means the hash prefix received by Safari does not uniquely identify a URL.

Prior to loading a website, when the fraudulent website warning feature is toggled on, Safari checks whether a website URL has a hash prefix to match the hash prefixes of malicious sites. If a match is found, Safari sends the hash prefix to its safe browsing provider and then asks for the full list of URLs that have a hash prefix that matches the suspicious one.

When Safari receives the list of URLs, it checks the original suspicious URL against the list, and if there is a match, Safari shows the warning pop up suggesting users stay away from the site. The check happens on the user's device, and the URL itself is not shared with the safe browsing provider, but because Safari communicates directly with the safe browsing provider, the providers do receive device IP addresses.

Information about Apple's safe browsing partners can be found in the About Safari and Privacy screen, available in the Privacy and Security section of the Safari portion of the Settings app. Fraudulent website protection is enabled by default, and those still concerned about the safety check feature can turn it off by deselecting the "Fraudulent Website Warning" toggle.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.

Tags: China, Safari

This article, "Apple Clarifies Tencent's Role in Fraudulent Website Warnings, Says No URL Data is Shared and Checks are Limited to Mainland China" first appeared on MacRumors.com

Discuss this article in our forums

Apple Sending User Data to Chinese Company for Fraudulent Website Warnings in Safari

Apple's Fraudulent Website Warning feature in Safari for iOS and Mac has come under scrutiny for using Chinese internet giant Tencent as one of its Safe Browsing providers.

The Safari feature has long sent data to Google Safe Browsing to cross-reference URLs against a blacklist and protect users against phishing scams and sites that attempt to push malware. However, it's unclear when Apple started sending user data to Tencent as well.

Apple notes in iOS that it sends some user IP addresses to Tencent, but most users are probably unaware of the fact. The mention can be found in the "About Safari & Privacy" screen, which is linked via small text under the Privacy & Security section in Settings -> Safari. The Fraudulent Website Warning feature is also enabled by default, so users aren't likely to know that their IP address may be logged unless they opt to view the information screen.

Apple's reference to Tencent has been found on devices running iOS 13, but some tweets suggest versions as early as iOS 12.2 also included the Chinese company as a safe browsing provider.

At this point, it's difficult to know for sure whether Apple users residing outside of China are having their data sent to Tencent, but the company appears to be mentioned on iPhones and iPads registered in the U.S. and the U.K., and possibly in other countries, too.


The privacy implications of shifting Safe Browsing to Tencent's servers are unknown, because Apple hasn't said much about it. However, according to Johns Hopkins University professor Matthew Green, a malicious provider could theoretically use Google's Safe Browsing approach to de-anonymize a user by linking their site requests.

Apple's relationship with the Chinese government has come in for increasing criticism lately, and that could make customers uneasy about Apple's links to Tencent, which is known to work closely with the Chinese Communist Party.

As such, Green believes users "deserve to be informed about this kind of change and to make choices about it. At very least, users should learn about these changes before Apple pushes the feature into production, and thus asks millions of their customers to trust them."

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.

Tags: China, Safari

This article, "Apple Sending User Data to Chinese Company for Fraudulent Website Warnings in Safari" first appeared on MacRumors.com

Discuss this article in our forums

U.K. Court Reinstates Lawsuit Accusing Google of Bypassing Safari’s Privacy Settings to Track iPhone Users

An appeals court in London has reinstated a lawsuit filed against Google that accuses the company of unlawfully gathering personal information by circumventing the iPhone's default privacy settings, according to Bloomberg.


The collective action, equivalent to a class action lawsuit in the United States, alleged that Google illegally tracked and gathered the personal data of over four million iPhone users in the U.K. between 2011 and 2012. The case was first brought in November 2017 and had been dismissed in October 2018.

"This case, quite properly if the allegations are proved, seeks to call Google to account for its allegedly wholesale and deliberate misuse of personal data without consent, undertaken with a view to a commercial profit," wrote Judge Geoffrey Vos in a ruling today, per the report.

A similar lawsuit was filed in the United States in 2012, when Google was discovered to be circumventing privacy protections in Safari on iOS in order to track users through ads on numerous popular websites.

Specifically, Google took advantage of a Safari loophole that made the browser think that the user was interacting with a given ad, thus allowing a tracking cookie to be installed. With that cookie installed, it became easy for Google to add additional cookies and to track users across the web.

At the time, Safari blocked several types of tracking, but made an exception for websites where a person interacted in some way — by filling out a form, for example. Google added code to some of its ads that made Safari think that a person was submitting an invisible form to Google, thus creating a temporary cookie.

Google stopped this practice after it was reported by The Wall Street Journal, and refuted many details of the report, while Apple closed the loophole in a Safari update shortly after. Google also paid a then-record $22.5 million fine to the Federal Trade Commission over its practices back in 2012.

"Protecting the privacy and security of our users has always been our No. 1 priority," a Google spokeswoman told Bloomberg. "This case relates to events that took place nearly a decade ago and that we addressed at the time."


This article, "U.K. Court Reinstates Lawsuit Accusing Google of Bypassing Safari's Privacy Settings to Track iPhone Users" first appeared on MacRumors.com

Discuss this article in our forums