Amazing rundown by Ryan Pickren on how he gained unauthorized Camera access on iOS and macOS.
We started on a normal HTTP website and ended up on a bastardized blob URI in a Secure Context. Here is a quick summary of how we did it:
- Open evil HTTP website
- HTTP website becomes a
data:
URIdata:
URI becomes ablob:
URI (with magic blank origin)- Manipulate
window.history
(in 2 parts!)- Create an
about:blank
iframe anddocument.write
to it- Dynamically give this iframe the
sandbox
attribute- Attempt an impossible frame navigation using
X-Frame-Options
- From within the iframe,
window.open
a new popup anddocument.write
to it- Profit
From this popup, we can use the mediaDevices Web API to access the webcam (front or rear), microphone, screen sharing (macOS only) and much more!
The hack in action (user must have previously trusted skype.com
, which is not unlikely):
🤯🤯🤯
Webcam Hacking – The story of how I gained unauthorized Camera access on iOS and macOS →