In an article which starts by praising Apple's security, the hacks at Wired appeared shocked that a security researcher publicly shared new findings about vulnerabilities that would have allowed an attacker to exploit three Safari bugs in succession and take over a target's webcam and microphone on iOS and macOS devices.
Apple patched the vulnerabilities in January and March updates. But before the fixes, all a victim would have needed to do is click one malicious link and an attacker would have been able to spy on them remotely. Of course then the hacker would be able to view the life of an Apple fanboy which would be like watching paint dry.
Wired claimed that the bugs Pickren found all stem from seemingly minor oversights. For example, he discovered that Safari's list of the permissions a user has granted to websites treated all sorts of URL variations as being part of the same site, like https://www.example.com, http://example.com and fake://example.com.
By "wiggling around," as Pickren puts it, he was able to generate specially crafted URLs that could work with scripts embedded in a malicious site to launch the bait-and-switch that would trick Safari. A hacker who tricked a victim into clicking their malicious link would be able to quietly launch the target's webcam and microphone to capture video, take photos, or record audio.
The attack works on iPhones, iPads, and Macs alike. None of the flaws are in Apple's microphone and webcam protections themselves, or even in Safari's defenses that keep malicious sites from accessing the sensors. Instead, the attack surmounts all of these barriers just by generating a convincing disguise.