Monday, December 23, 2024

Hackers steal iCloud photographs by means of calendar invitations — no clicks required

Even Apple’s Calendar app will be weak


Hackers steal iCloud photographs by means of calendar invitations — no clicks required

A safety researcher has detailed an outdated hack in macOS that gave hackers full entry to a person’s iCloud, needing solely a calendar invite to succeed.

In 2022, safety researcher Mikko Kenttala found a zero-click vulnerability inside macOS Calendar that would permit attackers so as to add or delete information within the Calendar sandbox setting. The vulnerability allowed attackers to execute malicious code and entry delicate information saved on the sufferer’s system, together with iCloud Photographs.

The exploit begins with the attacker sending a calendar invite containing a malicious file attachment. The filename is not correctly sanitized, which permits the attacker to carry out a “listing traversal” assault, that means they’ll manipulate the file’s path and place it in unintended areas.

The vulnerability (CVE-2022-46723) lets attackers overwrite or delete information throughout the Calendar app’s filesystem. For instance, if the attacker sends a file named “FILENAME=../../../malicious_file.txt,” it will likely be positioned exterior its supposed listing in a extra harmful location within the person’s filesystem.

Attackers may additional escalate the assault by utilizing the arbitrary file write vulnerability. They may inject malicious calendar information designed to execute code when macOS is upgraded, notably from Monterey to Ventura.

Flowchart detailing how an arbitrary file write vulnerability can lead to unauthorized access to iCloud Photos through various injection methods and SMB-mounting a malicious application.

The complete exploit chain

These information included occasions with alert functionalities that triggered when the system processed calendar information. Injected information would include code to robotically launch information like .dmg photographs and .url shortcuts, finally resulting in distant code execution (RCE).

Ultimately, the attacker may fully take over the Mac with out the person’s information or interplay.

Thankfully, the hack is not new. Apple patched it over a number of updates from October 2022 to September 2023. These fixes concerned tightening file permissions throughout the Calendar app and including extra safety layers to forestall the listing traversal exploit.

The best way to keep secure from zero-click assaults

To remain secure from zero-click vulnerabilities just like the one found in macOS Calendar, it is essential to observe a number of protecting measures. In the beginning, all the time maintain your software program updated.

Apple steadily releases patches that tackle safety flaws, and enabling automated updates ensures you may get vital fixes. Lastly, strengthen your system’s safety settings by limiting apps’ entry to delicate information, corresponding to your calendar, photographs, and information.

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles