2 min read

Hacking the iOS/macOS webcam - Apple pays out $75,000 to bug hunter

Graham CLULEY

April 03, 2020

Hacking the iOS/macOS webcam - Apple pays out $75,000 to bug hunter

A vulnerability researcher has received a bug bounty after discovering security holes in Apple’s software that could allow malicious parties to hijack an iPhone or Mac user’s camera and spy upon them.

Bug hunter Ryan Pickren is richer to the tune of $75,000 after responsibly disclosing seven zero-day vulnerabilities in the Apple Safari browser for macOS and iOS, three of which could be combined into a camera-hijacking kill chain.

Pickren was able to exploit his knowledge that, unlike third-party apps, Apple’s own software did not prompt an alert box that they were trying to access the camera and microphone.

As the researcher explains in a highly technical blog post, all apps – apart from Apple’s own – require permission to be explicitly granted to access the camera and microphone.

Pickren says that this is “great for web-based video conferencing apps such as Skype or Zoom” – but what about Apple’s browser, Safari?

After what he described as “pretty intense” research, Pickren discovered that if a Safari user could be tricked into visiting a boobytrapped website containing malicious Javascript, their camera and microphone could be compromised.

Pickren was able to demonstrate that the attack worked on both the macOS and iOS versions of Safari 13.0.4.

Fortunately Pickren did not make his discoveries public, but instead responsibly disclosed details of the zero-day vulnerabilities he found to Apple in December 2019, via its bug bounty program.

As Forbes reports, Apple released a version of Safari (13.0.5) on January 28 2020 which addressed the three zero-day vulnerabilities exploited in the camera hijacking attack.

The rest of the zero-day vulnerabilities, deemed less serious than those used in the camera hijack, were patched in version 13.1 of Safari released last month.

There is no evidence that malicious hackers exploited the vulnerability to seize control of iPhone and Mac users’ devices to spy upon them, but it’s also impossible to prove that no-one before Pickren had uncovered the flaw.

Considering that so many computer and smartphone users have a camera in their devices that is pointing at them all of the time, it’s essential that flaws like this are properly patched and fixed, and Pickren deserves every cent of that $75,000 reward for handling his findings responsibly.

tags


Author



Right now

Top posts

Ultimate Privacy Guide for Your Facebook Account

Ultimate Privacy Guide for Your Facebook Account

August 31, 2021

6 min read
7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

August 27, 2021

2 min read
Your Netflix Account May Be on Sale on Darkweb. Protect It

Your Netflix Account May Be on Sale on Darkweb. Protect It

August 13, 2021

3 min read
E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

July 29, 2021

5 min read
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

How to keep your Android device immune to malicious vaccine themed apps How to keep your Android device immune to malicious vaccine themed apps
Cristina POPOV

April 22, 2021

2 min read
Facebook Takes Down Two Hacking Groups Operating out of Palestine Facebook Takes Down Two Hacking Groups Operating out of Palestine
Silviu STAHIE

April 22, 2021

2 min read
Ransomware attack causes supermarket cheese shortage in the Netherlands Ransomware attack causes supermarket cheese shortage in the Netherlands
Graham CLULEY

April 13, 2021

2 min read