Webcam Hacking – The story of how I gained unauthorized Camera access on iOS and macOS

Amazing rundown by Ryan Pickren on how he gained unauthorized Camera access on iOS and macOS.

We started on a normal HTTP website and ended up on a bastardized blob URI in a Secure Context. Here is a quick summary of how we did it:

  1. Open evil HTTP website
  2. HTTP website becomes a data: URI
  3. data: URI becomes a blob: URI (with magic blank origin)
  4. Manipulate window.history (in 2 parts!)
  5. Create an about:blank iframe and document.write to it
  6. Dynamically give this iframe the sandbox attribute
  7. Attempt an impossible frame navigation using X-Frame-Options
  8. From within the iframe, window.open a new popup and document.write to it
  9. Profit

From this popup, we can use the mediaDevices Web API to access the webcam (front or rear), microphone, screen sharing (macOS only) and much more!

The hack in action (user must have previously trusted skype.com, which is not unlikely):

🤯🤯🤯

Webcam Hacking – The story of how I gained unauthorized Camera access on iOS and macOS →

Google Maps Hacks: Creating a Virtual Traffic Jam

Google Maps Hack by Simon Weckert:

99 second hand smartphones are transported in a handcart to generate virtual traffic jam in Google Maps. Through this activity, it is possible to turn a green street red which has an impact in the physical world by navigating cars on another route to avoid being stuck in traffic.

Hah, Brilliant!

Google Maps Hacks →

Learn about security by hacking a fake bank using a real hacking method

Cool interactive site showing your how to perform a Server Side Request Forgery hack, based on a true incident:

The following interactive tutorial is a reconstruction of Capital One’s data breach incident that exposed the records of almost 106 million customers.

Paige Thompson is accused of breaking into a Capital One server and gaining access to 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers.

To all developers: As always, beware when processing user input …

Contra – Interactive Application Security Training →

Via Jesse

The Most Expensive Lesson Of My Life: Details of SIM port hack

Sean Coone got hacked last week. Even with 2FA enabled, hackers got in … because his phone number got transferred to a rogue device:

My personal identity was hacked last week. The attacker was able to steal $100k+ in a sweep of my Coinbase account. I’m equal parts embarrassed, hurt, and deeply remorseful.

In an effort to raise awareness about the attack, I wrote about it.

Reading this one would almost get a second, private, phone number for services that support 2FA only using phone numbers.

The Most Expensive Lesson Of My Life: Details of SIM port hack →

O.MG Cable – A normal looking USB cable that can hijack your computer when plugged in

It looks like an ordinary Lightning to USB Cable from Apple, yet it’s not: it’s got built-in Wifi and can receive payloads which get executed on the machine it’s plugged in 😱

However, let this be a reminder to never trust external cables (or USB outlets for that matter!), found USB sticks, etc.

O.MG Cable →

Clearfix: A Lesson in Web Development Evolution

A lesson in webdev history by Jason Hoffman:

The clearfix, for those unaware, is a CSS hack that solves a persistent bug that occurs when two floated elements are stacked next to each other. When elements are aligned this way, the parent container ends up with a height of 0, and it can easily wreak havoc on a layout. The clearfix was invented to solve all that.

But to understand the clearfix, you have to go back even further, to the 2004 and a particular technique called the Holly hack.

I had some nostalgic flashbacks whilst reading this 🙂

Clearfix: A Lesson in Web Development Evolution →

Wavethrough – Stealing data from remote sites through (fake) wav files

Jake Archibald discovered a really nice browser bug (which is fixed by now) by which he was able to steal data from remote sites by loading it in as a (fake) wav file.

The exploit works as follows:

  1. Make a request to evil-script, using a Content-Range header to suggest there’s more data to be loaded afterwards.
  2. Have evil-script return a valid WAV PCM header block, but also have it return a Redirect response header to the cross-origin (!) location you want to read out.
  3. Since a Content-Range header was used, the browser will make a second request to fetch the rest of the data.
    • A browser susceptible to this exploit will actually make the request to the remote location defined in the Redirect header.
    • Good browsers will stop here, throwing a CORS error.
  4. Store the returned data in an <audio> element.
  5. Play back the audio fragment, and meanwhile read out its data using a ScriptProcessorNode.

Not all browsers were affected by this bug: in Firefox you could only get the length of the returned content, and it was only in Edge that Jake was able to read out the actual contents of the generated wav file. Here’s a video of Edge (warning: as it’s raw data you’ll only hear glitches and stuff … you might want to turn down the volume):

Nice find Jake!

A shame the process of reporting this bug with the Edge team didn’t go that smooth though (details in Jake’s post). I’m confident the Edge team will adjust / already have adjusted a few things internally to prevent this obstacle course from happening again.

Jake Archibald: “I discovered a browser bug” →

Other neat hacks that recently made rounds was this one, using the W3C Ambient Light Sensor API and this one using mix-blend-mode. Always fun to see smart people find a way to abuse a new technology that seems safe at first 🙂

Side-channel attacking browsers through CSS3 features

Ruslan Habalov and Dario Weißer found a way to read contents from an iframe, using CSS3:

Accessing the DOM of an iframe that includes a cross-origin resource is forbidden by default. However, the content of the iframe was displayed in the same context as the rest of the site so we wanted to verify if there is side-channel potential that might allow us to leak state information through the interaction of browser features with the iframed content. With this in mind, we went ahead and tested various CSS features like transparency, rotation and mix-blend-mode on top of the cross-origin iframe.

By doing so, we discovered a bug that allowed side-channel attacking the CSS feature mix-blend-mode.

The bug was disclosed properly and has already been fixed.

Side-channel attacking browsers through CSS3 features →

Another neat hack that recently made rounds was this one, using the W3C Ambient Light Sensor API. Always fun to see smart people find a way to abuse a new technology that seems safe at first 🙂

The dots do matter: how to scam a Gmail user

Recently James Fisher received an email from Netflix asking him to update his credit card information.

“Odd,” I thought, “but OK, I’ll check.” The email is genuinely from netflix.com, so I clicked the link. It logged me in and took me to an “Update your credit or debit card” page, which is genuinely hosted on netflix.com. No phishing here. But hang on, the “Update” page showed my declined card as **** 2745. A card number I don’t recognize. Checking my records, I’ve never seen this card number. What’s going on?

I finally realized that this email is to [email protected]. I normally use [email protected], with no dots. You might think this email should have bounced, but instead it reached my inbox, because “dots don’t matter in Gmail addresses”

Whenever you’re implementing email addresses in your code, also beware for plussing when handling them. Additionally James also offers a nice idea, in which Gmail could prevent lots of these scams.

The dots do matter: how to scam a Gmail user →

Login with root and no password on any mac running macOS High Sierra

This tweet is currently making rounds on Twitter:

And yes, that actually works: enter root as a username, leave the password empty, and *BOOM* you’re in.

The exploit also works at the login screen, and with remote management (Screen Sharing, etc).

UPDATE 2017.11.29: Apple has released a security update, fixing this nasty bug. Open AppStore.app and check the updates section to download it. No reboot required.

As Mattias detailed a root with no pass gets created upon testing this. Awaiting a security patch from apple you can lock this user down by explicitly setting a password for its account (using Terminal.app):

sudo passwd -u root

If you’re not too fond of the shell, follow the instructions from this video.

And to say Apple already had a huge security slip-up with that Disk Utility Bug which showed the password instead of the password hint but this one is much, much worse … #functionalhighground aye?