Welcome back to this week's security bulletin!

The governments around the world and health authorities are working hard to manage the Corona Virus outbreak, and software developers released many tools to prevent the community spread. In this situation, Apple and Google have announced their new project that enables the use of Bluetooth technology to help health agencies and governments to reduce the spread of the virus, with user privacy and security central to the design.

The primary method to avoid community spread of this virus is to track people who come in contact with the one infected with COVID-19 and isolate them. While most of the recently released tools use location tracking, the new tool announced by Google and Apple achieves this by using BLE beacons. Beacon is a small Bluetooth radio transmitter, powered by batteries. These transmitters are small hardware devices that incessantly transmit Bluetooth Low Energy (BLE) signals. The Bluetooth enabled smartphones are capable of scanning and displaying these signals.

The working of the new tool is depicted below:

Expected release date of the tool is by the mid of May and here is it features:

  • Explicit user consent required
  • Doesn't collect personally identifiable information or user location data
  • List of people you've been in contact with never leaves your phone
  • People who test positive are not identified to other users, Google or Apple
  • Will only be used for contact tracing by public health authorities for COVID-19 pandemic management
  • It doesn't matter if you have an iPhone or Android phone - works across both.

You can read more about it here.

There is important news to all Apple phone and MacBook users that your device's camera can get hacked visiting a website. An ethical hacker Ryan Pickren has demonstrated how he gained unauthorized Camera access on iOS and macOS, and Apple paid $75000 bounty reward to him. There were seven vulnerabilities found by him, and all of these fixed in Safari version 13.0.5 and 13.1.

In iOS, third-party apps must require users' explicit consent to access the camera, but the Safari browser can access a photo gallery or camera without any user's permission. As per Ryan's investigation, Safari failed to check the originality of URL, and grants access to another site that shouldn't have obtained permissions in the first place. As an outcome, a website such as "https://videoapp.com" and its malicious counterpart "fake://videoapp.com" ends up with the same permissions. Attackers can use this flaw to masquerade as a trusted video conferencing application like Skype or Zoom to again camera access.

The vulnerabilities get fixed in the latest versions, and all Safari users are requested to update as soon as possible.