Safari hack shows browser security key to cyberdefense


In news you may have missed, Apple awarded a bug bounty for more than $100k back in January. The bug identified was a clever and creative vulnerability in the Safari browser system which could have allowed hackers to exploit target systems, implant malicious files and code on host computers, impersonate users with accurate credentials, commandeer webcams and microphones, etc. This came as a bit of a shock considering Apple’s very public commitment to privacy and security…

But, even the most well-intentioned efforts to protect one’s privacy and security can sometimes fall short (even from the biggest and best tech companies on Earth). Apple is much better about protecting user privacy than some other hardware and platform companies, but the underlying message is this — even the best, most secure systems have vulnerabilities. So what do you do about them as a small or medium sized business?

Safari and MacOS trust issues (or lack of issues, really)

According to a Wired article from January, this is how the vulnerability worked:

MacOS has built-in protections to prevent [attacks], including Gatekeeper, which confirms the validity of the software your Mac runs. But this hack got around those safeguards by abusing iCloud and Safari features that macOS already trusts. While poking for potential weaknesses in Safari, independent security researcher Ryan Pickren started looking at iCloud’s document-sharing mechanism because of the trust inherent between iCloud and macOS. When you share an iCloud document with another user, Apple uses a behind-the-scenes app called ShareBear to coordinate the transfer. Pickren found that he could manipulate ShareBear to offer victims a malicious file.

Basically, Apple’s environment trusts its own systems and transfer protocols to the point of vulnerability. Pickren was able to get creative in how he navigated Apple’s back end sharing system to pull an end around. That’s why his bug bounty was so lucrative

(More context from the Wired article)

Such bugs may be common, but that doesn’t make them any less serious. Attackers regularly take advantage of browser vulnerabilities for both criminal and nation-state hacking. For example, they are commonly exploited in watering hole attacks that target visitors of tainted websites. And hackers actively use unpatched “zero-day” browser vulnerabilities they’ve discovered or purchased, along with older bugs that they can exploit opportunistically when targets haven’t updated their browsers.

All of this underlines a larger theme in corporate security…

Just because it’s backed by an industry leader doesn’t mean you’re home free

When it comes to privacy and security, Apple really is a leader in the consumer space. Safari is one of the first major browsers to limit tracking, hide IP addresses and email addresses, etc. But even Apple’s systems are vulnerable to creative and clever threat vectors (and you better believe threat vectors for you and your company are clever and creative too).

So, that means you really do have to audit your security and your systems regularly (that’s where we come in). You have to be backing up your systems, storing those backups in secure locations with security protocols in place to limit access from external sources, logging everything that’s happening in your network and systems while running continuous monitoring tools on that access, etc.

All that to say, for most small and medium sized businesses, it pays to have a partner looking out for all of this, all the time, all on your behalf. If that sounds like something of interest to you, drop us a line — we’d love to discuss how we can help protect you and your business from threats now and into the future.