2 min read

Hacking the iOS/macOS webcam - Apple pays out $75,000 to bug hunter

Graham CLULEY

April 03, 2020

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Hacking the iOS/macOS webcam - Apple pays out $75,000 to bug hunter

A vulnerability researcher has received a bug bounty after discovering security holes in Apple’s software that could allow malicious parties to hijack an iPhone or Mac user’s camera and spy upon them.

Bug hunter Ryan Pickren is richer to the tune of $75,000 after responsibly disclosing seven zero-day vulnerabilities in the Apple Safari browser for macOS and iOS, three of which could be combined into a camera-hijacking kill chain.

Pickren was able to exploit his knowledge that, unlike third-party apps, Apple’s own software did not prompt an alert box that they were trying to access the camera and microphone.

As the researcher explains in a highly technical blog post, all apps – apart from Apple’s own – require permission to be explicitly granted to access the camera and microphone.

Pickren says that this is “great for web-based video conferencing apps such as Skype or Zoom” – but what about Apple’s browser, Safari?

After what he described as “pretty intense” research, Pickren discovered that if a Safari user could be tricked into visiting a boobytrapped website containing malicious Javascript, their camera and microphone could be compromised.

Pickren was able to demonstrate that the attack worked on both the macOS and iOS versions of Safari 13.0.4.

Fortunately Pickren did not make his discoveries public, but instead responsibly disclosed details of the zero-day vulnerabilities he found to Apple in December 2019, via its bug bounty program.

As Forbes reports, Apple released a version of Safari (13.0.5) on January 28 2020 which addressed the three zero-day vulnerabilities exploited in the camera hijacking attack.

The rest of the zero-day vulnerabilities, deemed less serious than those used in the camera hijack, were patched in version 13.1 of Safari released last month.

There is no evidence that malicious hackers exploited the vulnerability to seize control of iPhone and Mac users’ devices to spy upon them, but it’s also impossible to prove that no-one before Pickren had uncovered the flaw.

Considering that so many computer and smartphone users have a camera in their devices that is pointing at them all of the time, it’s essential that flaws like this are properly patched and fixed, and Pickren deserves every cent of that $75,000 reward for handling his findings responsibly.

tags


Author



Right now

Top posts

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

How to keep your Android device immune to malicious vaccine themed apps How to keep your Android device immune to malicious vaccine themed apps
Cristina POPOV

April 22, 2021

2 min read
Facebook Takes Down Two Hacking Groups Operating out of Palestine Facebook Takes Down Two Hacking Groups Operating out of Palestine
Silviu STAHIE

April 22, 2021

2 min read
Ransomware attack causes supermarket cheese shortage in the Netherlands Ransomware attack causes supermarket cheese shortage in the Netherlands
Graham CLULEY

April 13, 2021

2 min read