A pair of security researchers have successfully hacked a Mac belonging to billionaire film producer Jeffrey Katzenberg — proving that owning a macOS device isn't an automatic defense against cyber threats.
Rachel Tobac, a social engineer and CEO of SocialProof Security, successfully carried out the attack on the unspecified macOS device. According to Tobac, the attack was a demonstration for identify theft protection firm Aura — a company that Katzenberg invests in.
We just hacked a billionaire!— Rachel Tobac (@RachelTobac) March 16, 2022
Got consent 1st then got to work hacking Jeffrey Katzenberg. @Evantobac & I stole his pics, emails, and contacts then turned on his mic (without an indicator light) & listened to his phone calls.
Here's the video on how we hacked a billionaire: pic.twitter.com/t63JJQccIr
Tobac leveraged a since-patched vulnerability and social engineering skills to get Katzenberg to click on a phishing link on a spoofed website. Once Katzenberg did so, she was able to steal photos, emails, and contacts from the Mac.
Additionally, the hacker was able to turn on the Mac's microphone and eavesdrop on Katzenberg without triggering the build-in macOS microphone indicator.
Tobac's husband Evan — also a hacker and security researcher — published another Twitter thread with details on the macOS vulnerability.
The exploit was built based on research from Ryan Pickren, who became notable when he was paid $100,500 for discovering a Safari Universal Cross-Site Scripting bug.
More specifically, the exploit leveraged the underlying bug to carry out an attack using iCloud links and Safari's sharing preferences. Importantly, the attack only worked because Katzenberg's Mac was out of date by several updates.
This attack worked because Jeffrey's OS/browser were out of date by close to 4 months.— Evan Tobac (@evantobac) March 16, 2022
4 months was enough for detailed descriptions of the vulnerabilities to become public, for me to read about them and incorporate them into an attack.
This is a good segue into mitigations.
According to both Tobacs, some mitigations for the specific attack include keeping machines patched with the latest security updates, using at least two methods of verification for communications, and avoiding clicking on suspicious email links — particularly if they are sent in an urgent manner.