2 min read

Hacking the iOS/macOS webcam - Apple pays out $75,000 to bug hunter

Graham CLULEY

April 03, 2020

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Hacking the iOS/macOS webcam - Apple pays out $75,000 to bug hunter

A vulnerability researcher has received a bug bounty after discovering security holes in Apple’s software that could allow malicious parties to hijack an iPhone or Mac user’s camera and spy upon them.

Bug hunter Ryan Pickren is richer to the tune of $75,000 after responsibly disclosing seven zero-day vulnerabilities in the Apple Safari browser for macOS and iOS, three of which could be combined into a camera-hijacking kill chain.

Pickren was able to exploit his knowledge that, unlike third-party apps, Apple’s own software did not prompt an alert box that they were trying to access the camera and microphone.

As the researcher explains in a highly technical blog post, all apps – apart from Apple’s own – require permission to be explicitly granted to access the camera and microphone.

Pickren says that this is “great for web-based video conferencing apps such as Skype or Zoom” – but what about Apple’s browser, Safari?

After what he described as “pretty intense” research, Pickren discovered that if a Safari user could be tricked into visiting a boobytrapped website containing malicious Javascript, their camera and microphone could be compromised.

Pickren was able to demonstrate that the attack worked on both the macOS and iOS versions of Safari 13.0.4.

Fortunately Pickren did not make his discoveries public, but instead responsibly disclosed details of the zero-day vulnerabilities he found to Apple in December 2019, via its bug bounty program.

As Forbes reports, Apple released a version of Safari (13.0.5) on January 28 2020 which addressed the three zero-day vulnerabilities exploited in the camera hijacking attack.

The rest of the zero-day vulnerabilities, deemed less serious than those used in the camera hijack, were patched in version 13.1 of Safari released last month.

There is no evidence that malicious hackers exploited the vulnerability to seize control of iPhone and Mac users’ devices to spy upon them, but it’s also impossible to prove that no-one before Pickren had uncovered the flaw.

Considering that so many computer and smartphone users have a camera in their devices that is pointing at them all of the time, it’s essential that flaws like this are properly patched and fixed, and Pickren deserves every cent of that $75,000 reward for handling his findings responsibly.

tags


Author



Right now

Top posts

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

May 24, 2022

3 min read
John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

April 15, 2022

3 min read
Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

April 14, 2022

3 min read
Why and how to hide your IP address while traveling

Why and how to hide your IP address while traveling

April 13, 2022

2 min read
How Bitdefender Can Help Restore Your Privacy in the Digital Age

How Bitdefender Can Help Restore Your Privacy in the Digital Age

April 04, 2022

3 min read
How Strong is VPN Encryption?

How Strong is VPN Encryption?

February 28, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

How to keep your Android device immune to malicious vaccine themed apps How to keep your Android device immune to malicious vaccine themed apps
Cristina POPOV

April 22, 2021

2 min read
Facebook Takes Down Two Hacking Groups Operating out of Palestine Facebook Takes Down Two Hacking Groups Operating out of Palestine
Silviu STAHIE

April 22, 2021

2 min read
Ransomware attack causes supermarket cheese shortage in the Netherlands Ransomware attack causes supermarket cheese shortage in the Netherlands
Graham CLULEY

April 13, 2021

2 min read