How can Safari have access to my camera?

[Silly John Fatty]

Hi community,

I have a 27" Cinema Display as well as a Mac Pro with High Sierra 10.13.6 installed on it.

I decided to check if anything was having access to my camera by typing lsof | grep "VDC" in Terminal.

There I noticed two things:

1) avconfere - which is apparently an okay thing.

2) Safari

It was listed in this format:

avconfere [number] [account name] txt REG [number] [number] [number] /SystemLibrary/Frameworks/CoreMediaIO.framework/Versions/A/Resources/VDC.plugin/Contents/MacOS/VDC

Safari [number] [account name] txt REG [number] [number] [number] /SystemLibrary/Frameworks/CoreMediaIO.framework/Versions/A/Resources/VDC.plugin/Contents/MacOS/VDC

The numbers on the first line were identical to those on the second, except for the first in each row.

I was surprised that Safari was listed there, and so I did some research as to how it could have access to my camera. Safari was in fact open when I ran the command in Terminal. But in its Preferences, no site has access to my camera - it's set to "not allowed" for all sites by default. In my System Preferences, under Security, and then under the Privacy tab, my camera isn't even listed there - that means I probably never even gave camera access to any app (although I find that weird, because Photo Booth and FaceTime do have access to my Camera (I can use them normally if I open them) - and it makes me wonder why the camera as such doesn't appear in those settings).

After I ran the command, I closed Safari and reopened it again - with the same tabs that were open before. I ran the command again, but Safari didn't appear anymore. I closed and reopened it several times again, but Safari kept missing, even after over an hour.


Could someone enlighten me on what's happening here? Has someone hacked my camera? How does Safari have access to my camera at all? IS it having access in the first place, or does my Terminal output mean something else?

Please people, enlighten me! This is worrying me.

Thank you very much in advance, and I appreciate your time reading my post!
Winegarden

 

[chown33]

Where did you get the info that using that particular Terminal command would show you which apps had camera access?

Please post the URL / link of what you read.

 

[Silly John Fatty]

Where did you get the info that using that particular Terminal command would show you which apps had camera access?

Please post the URL / link of what you read.

A while ago I was basically searching how to find out which applications use my camera and stumbled across that command on several websites. I just searched it again and found this one here for example: https://www.howtogeek.com/289352/how-to-tell-which-application-is-using-your-macs-webcam/

Is that wrong? What's this command doing anyway?

 

[satcomer]

If you concerned about slowing apps to see your camera then install the reverse firewall shareware Little Snitch and be surprised of how many connections apps make in day!

 

[chown33]

A while ago I was basically searching how to find out which applications use my camera and stumbled across that command on several websites. I just searched it again and found this one here for example: https://www.howtogeek.com/289352/how-to-tell-which-application-is-using-your-macs-webcam/

Is that wrong? What's this command doing anyway?

That article is from January 2017. What it says may not be true today, and it may depend on your OS version, which you haven't identified.

What I take from the output of this command:

lsof | grep VDC

is that those are the processes who have loaded the media-access framework and asked to use a component, although they might not necessarily have been granted access.

The long pathname
/System/Library/Frameworks/CoreMediaIO.framework/Versions/A/Resources/VDC.plugin/Contents/MacOS/VDC
identifies the system framework (CoreMediaIO) and the plugin component (VDC).

AFAIK, loading that framework is required to actually use the camera, but it isn't sufficient to gain that access. In other words, an app would need to use functions in that framework for camera access, but the system can still deny access if that's what the Security & Privacy permission is set to.

The logical distinction is between "necessary" and "sufficient". Using the framework is necessary, but by itself isn't sufficient, AFAIK. An app would also need the proper OS-enforced security permission, which you have control over.

Since apps like FaceTime or Photo Booth will use the same media-access framework, they would appear in the list of apps who are using the framework. So having them appear in the list would be expected.

Apps like Safari (or any browser) will necessarily use the framework, but will also be constrained by the camera access policy you have set up.

In short, just because an app loads a particular framework, it doesn't necessarily imply that the app has unfettered access to every capability provided by that framework. The security architecture has finer-grained access controls than just at the framework level.

Some parts of the above may be incorrect. It may depend on which OS version you're using.


The article you linked does describe what the command line does.

The lsof command list all the processes who have loaded the media-access framework. Its output is then searched by the grep command for all occurrences of the string "VDC", or "AppleCamera", or whatever the word after grep is. The resulting output is then shown.

 

[Silly John Fatty]

That article is from January 2017. What it says may not be true today, and it may depend on your OS version, which you haven't identified.

What I take from the output of this command:

lsof | grep VDC

is that those are the processes who have loaded the media-access framework and asked to use a component, although they might not necessarily have been granted access.

The long pathname
/System/Library/Frameworks/CoreMediaIO.framework/Versions/A/Resources/VDC.plugin/Contents/MacOS/VDC
identifies the system framework (CoreMediaIO) and the plugin component (VDC).

AFAIK, loading that framework is required to actually use the camera, but it isn't sufficient to gain that access. In other words, an app would need to use functions in that framework for camera access, but the system can still deny access if that's what the Security & Privacy permission is set to.

The logical distinction is between "necessary" and "sufficient". Using the framework is necessary, but by itself isn't sufficient, AFAIK. An app would also need the proper OS-enforced security permission, which you have control over.

Since apps like FaceTime or Photo Booth will use the same media-access framework, they would appear in the list of apps who are using the framework. So having them appear in the list would be expected.

Apps like Safari (or any browser) will necessarily use the framework, but will also be constrained by the camera access policy you have set up.

In short, just because an app loads a particular framework, it doesn't necessarily imply that the app has unfettered access to every capability provided by that framework. The security architecture has finer-grained access controls than just at the framework level.

Some parts of the above may be incorrect. It may depend on which OS version you're using.


The article you linked does describe what the command line does.

The lsof command list all the processes who have loaded the media-access framework. Its output is then searched by the grep command for all occurrences of the string "VDC", or "AppleCamera", or whatever the word after grep is. The resulting output is then shown.

Thanks! But so that does mean, that something coming from Safari at least *tried* to access my camera, right?

I am using Mac OS 10.13.6 by the way.

If you concerned about slowing apps to see your camera then install the reverse firewall shareware Little Snitch and be surprised of how many connections apps make in day!

Thanks, I have installed it. It's shocking to see all the stuff it connects you with. I wish there would be some sort of groups (like ads) that it could identify and that we could block altogether.

 

[chown33]

Thanks! But so that does mean, that something coming from Safari at least *tried* to access my camera, right?

I am using Mac OS 10.13.6 by the way.

The way apps are built, it would load the framework regardless of whether it tried to actually access the camera or not. That's the way most frameworks work.

It's very likely that the way for an app to check whether it can access the camera is to try it. The action succeeds or fails according to your security policy, but the check must be made when some web page requests it. The check would be a function in the framework, or in the component of the framework used to access the camer.

Until demonstrated otherwise, the only thing I would conclude about the "VDC" (or "iSight" or whatever) component being loaded is that some webpage you visited made a request to access the camera. That doesn't necessarily mean it succeeded, only that it asked.

You could test this hypothesis by restarting Safari, running the VDC command line to confirm it's not loaded yet, then telling Safari to visit a website where you know camera access will be requested. Then after hitting that site (or page), check whether access was granted (does the page work correctly, showing camera access granted). Whether or not access was granted, run the VDC command line again to find out whether the component was loaded.

I don't know of any sites in particular that will definitely request camera access, but my guess would be anything that takes photos using the website (as distinct from an app associated with the site), or allows video communications between persons.

 

[Silly John Fatty]

The way apps are built, it would load the framework regardless of whether it tried to actually access the camera or not. That's the way most frameworks work.

It's very likely that the way for an app to check whether it can access the camera is to try it. The action succeeds or fails according to your security policy, but the check must be made when some web page requests it. The check would be a function in the framework, or in the component of the framework used to access the camer.

Until demonstrated otherwise, the only thing I would conclude about the "VDC" (or "iSight" or whatever) component being loaded is that some webpage you visited made a request to access the camera. That doesn't necessarily mean it succeeded, only that it asked.

You could test this hypothesis by restarting Safari, running the VDC command line to confirm it's not loaded yet, then telling Safari to visit a website where you know camera access will be requested. Then after hitting that site (or page), check whether access was granted (does the page work correctly, showing camera access granted). Whether or not access was granted, run the VDC command line again to find out whether the component was loaded.

I don't know of any sites in particular that will definitely request camera access, but my guess would be anything that takes photos using the website (as distinct from an app associated with the site), or allows video communications between persons.

Yes, I understand that it didn't necessarily succeed, but only tried to access the camera. But that alone is worrying. Why would it do that? I have, like stated in my original post, restarted Safari several times (with the same tabs opened) and run the command - but Safari wasn't listed anymore. So basically, one of the sites I had visited was trying to access my camera, but once I tried to repeat it, it wasn't trying anymore. Still worrying if you ask me.

I have now installed Micro Snitch in addition to Little Snitch, and obviously it appears in the list when I run the command. It's supposed to protect me from someone spying, but I hope it doesn't spy itself on me.

PS: I just checked the tabs I had opened when this happened:
- Wikipedia
- Google Search
- EconStor.eu
- keydifferences.com

 

[chown33]

... So basically, one of the sites I had visited was trying to access my camera, but once I tried to repeat it, it wasn't trying anymore. Still worrying if you ask me.

It could have been any site that had ads, where one of the ads or frames ran some JavaScript that checked for access to the camera.

Web pages often contain links to other sites that provide content. Any one of those other sites could have had the camera access attempt.

PS: I just checked the tabs I had opened when this happened:
- Wikipedia
- Google Search
- EconStor.eu
- keydifferences.com

As noted above, you'd have to find all the sites that were supplying ads at the time. That's not likely to be repeatable, given the nature of how ads work.

Since a component is loaded once and not normally unloaded (generally speaking), it could be any other site you'd visited, or one of their ad suppliers, since the previous time that Safari had been launched.

 

[Silly John Fatty]

It could have been any site that had ads, where one of the ads or frames ran some JavaScript that checked for access to the camera.

Web pages often contain links to other sites that provide content. Any one of those other sites could have had the camera access attempt.



As noted above, you'd have to find all the sites that were supplying ads at the time. That's not likely to be repeatable, given the nature of how ads work.

Since a component is loaded once and not normally unloaded (generally speaking), it could be any other site you'd visited, or one of their ad suppliers, since the previous time that Safari had been launched.

Yes, I imagined it had something to do with ads. I should install an Adblocker. I wanted to install uBlock Origin - apparently it was the best one - but it's not possible anymore on my system. Thanks Apple I guess.

 

[satcomer]

Thanks! But so that does mean, that something coming from Safari at least *tried* to access my camera, right?

I am using Mac OS 10.13.6 by the way.



Thanks, I have installed it. It's shocking to see all the stuff it connects you with. I wish there would be some sort of groups (like ads) that it could identify and that we could block altogether.

Just do your homework and allow app updates connections for programs but stop adding tracking when going to other web sites! Plus it is good preventative vigilance is empty your browser CACHE once every two weeks to keep from tracking cookies!

 

[Silly John Fatty]

Just do your homework and allow app updates connections for programs but stop adding tracking when going to other web sites! Plus it is good preventative vigilance is empty your browser CACHE once every two weeks to keep from tracking cookies!

Yup. I wish Safari had a feature that would allow you to block the cookies for all sites but with exceptions. That would be the easiest thing.

 

[satcomer]

Yup. I wish Safari had a feature that would allow you to block the cookies for all sites but with exceptions. That would be the easiest thing.

It already does with Private Browsing!

 

[Silly John Fatty]

It already does with Private Browsing!

How do you make exceptions? You would have to login etc. again every time. Basically I would want to have the "Block all cookies" preference set, but also have a list of sites that I would like to permanently exclude. As far as I know, that's not possible.

 

[satcomer]

How do you make exceptions? You would have to login etc. again every time. Basically I would want to have the "Block all cookies" preference set, but also have a list of sites that I would like to permanently exclude. As far as I know, that's not possible.

How I do it is with a reverse firewall shareware Little Snitch to stop internal call backs from programs when not running!

 

[Silly John Fatty]

How I do it is with a reverse firewall shareware Little Snitch to stop internal call backs from programs when not running!

Okay, yes, I thought you meant Safaris "Private Browsing" feature. I installed Little Snitch as well and have it set so that it asks me on each call if I would like to allow it or not. What's a little bit annoying is that often you don't know what exactly you are blocking, and that will sometimes break the site.

I managed to figure out what I need to block on most sites I visit on a regular basis, and I must say, they run so much faster now! Those ads were slowing everything down.

I do wish it would have a feature that would recognise ads however, or non-needed, non-functional stuff. I'd like to block all non-functional stuff basically (without having to spend half an hour to figure out myself).