Amazing rundown by Ryan Pickren on how he gained unauthorized Camera access on iOS and macOS.
We started on a normal HTTP website and ended up on a bastardized blob URI in a Secure Context. Here is a quick summary of how we did it:
- Open evil HTTP website
- HTTP website becomes a
data:URI becomes a
blob:URI (with magic blank origin)
window.history(in 2 parts!)
- Create an
- Dynamically give this iframe the
- Attempt an impossible frame navigation using
- From within the iframe,
window.opena new popup and
From this popup, we can use the mediaDevices Web API to access the webcam (front or rear), microphone, screen sharing (macOS only) and much more!
The hack in action (user must have previously trusted
skype.com, which is not unlikely):