Microsoft researchers have discovered vulnerabilities in the Apple Safari browser that could be exploited by hackers.In particular, the vulnerability allows unauthorized access to users’ webcams, microphones, locations and contacts on Mac computers managed by companies.
Safari privacy vulnerability targets Mac users
In a blog post published last week, Microsoft’s security researchers detailed a vulnerability they call “HM Surf” that can bypass macOS privacy protections. They shared that they made the discovery through penetration testing of Apple’s Transparency, Consent and Control (TCC) framework.
TCC is designed to allow websites and apps to ask users for permission before accessing sensitive features such as camera, microphone and location data. However, Microsoft found that Safari, being an Apple app, had privileged access and was exempt from these checks.
The vulnerability stems from Safari’s use of local files to store the privacy decisions of various websites. By changing the location of these files, an attacker can gain access to restricted features without triggering a permission prompt.
This means that a hacker can exploit this vulnerability to access a user’s webcam and microphone. They can take photos or record audio/video. Location data and contacts can also be secretly accessed. Microsoft said this technique could have been used by malicious actors.
The vulnerability appears to be limited to corporate Macs that use mobile device management (MDM) software. Apple said it fixed the problem with the latest macOS security update.