Can Macs get a virus just by opening a website?

macos mac safari

I'm being stupid & anxious, but I need confirmation. I was navigating to a domain, and accidentally messed up the spelling, and it redirected me to an IP address and a fake Apple ID sign in came up, with a pop-up apparently scanning the Mac for viruses.

Of course, I know it's a fake scan. Of course, I know it's not an official site.

That's not what I'm asking, I want to know if I can get a virus on my Mac just by opening that site. I closed the tab 5 seconds after it redirected & I didn't enter anything into the text fields.

[MacBook Pro M1, Safari 15, macOS Big Sur]


Yes, it's possible.

Whenever you browse a web site, your browsing software sends a User-Agent field saying which browser it is.* A topical example is:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2)
       AppleWebKit/601.3.9 (KHTML, like Gecko) 
       Version/9.0.2 Safari/601.3.9

This shows the browser is Safari and which version, and that the OS is 10.11. Now, that is powerful information. Because the hacker (or more likely, their malware vendor) has a catalog of which exploits work on which OS and which browser. And so they return a page with one or more of the exploits that work against you, IF ANY.

For instance when I hunted these pages for a living, I used a current level Mac and they didn't have any exploits for that. So they would "punt" and serve me "monetization of last resort": paid search results (like on a parked domain), or often even a blank page.

They've upped their game. Now, they are now offering social exploits. They returned a fake Apple login because your User-Agent said you were on a Mac.

Anyway, the answer to your question is "yes, possibly". You are in the middle of a race between the black-hats who find exploits, and the white-hats and engineers who patch exploits.

I would note that most browsers give you an option to change the User-Agent to anything you want. Using another platform/browser's agent would cause such sites to throw the wrong exploits at you... but that could cause other weirdnesses on legit sites.

* The legitimate uses of this are customizing web content for browser capability (e.g. deploying Windows-Only features or HTML5 "web app" features when the browser can handle it; and taking a census of active site users so they can map the money they make from each user vs the browsers they use. so they don't accidentally drop support for their highest rollers. Honestly, not sending User-Agent at all would be a huge boon for security, but the money-biz people would complain, and guess who wins that one.

Related

How to solve the “You don't have permission to open the application” in Mac OS big sur?
How can I disable password for system preferences lock? How can I permanently unlock all system preferences?
Using Imagemagick to convert TIFF to PDF
Care and feeding of the 1st gen Apple Pencil and its battery
How do you copy formulas that reference other sheets from one Numbers spreadsheet to another?
document.all vs. document.getElementById
How to find if an array contains a string [duplicate]
Create table variable in MySQL
Is java.sql.Connection thread safe?
How to both read and write a file in C#
How does paintComponent work?
Why does forms with single input field submit upon pressing enter key in input