Two Dangerous Safari Vulnerabilities Put Apple's Browser Users at Risk and Have Not Yet Been Resolved
A team of researchers has found two dangerous vulnerabilities in the Safari browser that have not yet been resolved by Apple. The flaws were discovered during the Tianfu Cup in China, a hacking contest where security experts win prizes for finding bugs and vulnerabilities that can be exploited by hackers.
As part of the contest, Apple asked participants to identify possible flaws for the Safari browser running on a 13-inch MacBook Pro and iPhone 11 Pro with an operating system updated to iOS 14. The team that discovered the potentially security-threatening exploits won a $420,000 prize and provided Apple with guidance so it could develop security patches and fix itself. Currently, the Cupertino-based company is working to fix the two vulnerabilities that expose its users to attacks by malicious hackers.
Safari, the two vulnerabilities discovered in the contest
Teams that took part in the Tianfu Cup contest analyzed the presence of security holes in Apple's Safari browser, specifically focusing on a remote URL that could allow any malicious person to control the browser or MacBook Pro device with an RCE, or Remote Code Execution, attack, offering $40,000 for whoever succeeded. If in addition to an RCE attack, the team also managed to perform a sandbox leak, the prize rose to $60,000.
As for the Safari security analysis on iPhone 11 Pro running iOS 14, teams challenged each other to try to implement RCE attacks by circumventing PAC mitigation, with the following prizes if successful: $120.000 for an RCE attack, $180,000 by adding a sandbox leak, and finally $300,000 for a remote jailbreak.
Apple working on vulnerabilities to fix
There are two major vulnerabilities highlighted by the Tianfu Cup for Apple, but details on the type of exploits have not been disclosed. Only the Cupertino-based company has received detailed information from security teams about the type of flaw to be fixed, and now developers are working on patches to be released in a new update to eliminate the problem.