A white hat hacker says he has earned $75,000 from Apple for reporting several Safari vulnerabilities that can be exploited to hijack the camera and microphone of devices running iOS or macOS.
Researcher Ryan Pickren identified a total of seven vulnerabilities in Apple’s Safari web browser, three of which can be exploited to spy on users through the camera and microphone of their iPhone, iPad or Mac computer. The attack only requires the targeted user to access a malicious website — no other interaction is needed.
Apple patched the vulnerabilities that allow hackers to spy on users in January, while the other flaws were fixed in March. Pickren said his exploit fell into the “Network Attack without User Interaction: Zero-Click Unauthorized Access to Sensitive Data” category in Apple’s bug bounty program. He earned $75,000 for his findings, but the top reward in this category is $500,000.
According to Pickren, the flaws are related to Apple’s decision to allow users to permanently save security settings on a per-website basis. An attacker can set up a malicious website that gains access to the camera and microphone by claiming to be a trusted video conferencing service such as Zoom or Skype.
“Put simply – the bug tricked Apple into thinking a malicious website was actually a trusted one. It did this by exploiting a series of flaws in how Safari was parsing URIs, managing web origins, and initializing secure contexts,” the researcher explained in a blog post summarizing his findings.
He added, “If a malicious website strung these issues together, it could use JavaScript to directly access the victim’s webcam without asking for permission. Any JavaScript code with the ability to create a popup (such as a standalone website, embedded ad banner, or browser extension) could launch this attack.”
Pickren has also published a lengthy blog post with technical information about the vulnerabilities. He has also made available proof-of-concept (PoC) exploit code and demos.
This is not the first time Apple has patched vulnerabilities that can be exploited to spy on users. Last year, the company fixed a vulnerability in FaceTime that could have given hackers access to a device’s camera and microphone.
Related: macOS Vulnerability Leaks Safari Data
Related: New York Investigating Apple’s Response to FaceTime Spying Bug
Related: Flaw in Walkie-Talkie App on Apple Watch Allows Spying

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Vulnerabilities in Honda eCommerce Platform Exposed Customer, Dealer Data
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Google Patches Third Chrome Zero-Day of 2023
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Verizon 2023 DBIR: Human Error Involved in Many Breaches, Ransomware Cost Surges
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
Latest News
- Consolidate Vendors and Products for Better Security
- Pharmaceutical Giant Eisai Takes Systems Offline Following Ransomware Attack
- Vulnerabilities in Honda eCommerce Platform Exposed Customer, Dealer Data
- North Korean Hackers Blamed for $35 Million Atomic Wallet Crypto Theft
- Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- BBC, British Airways, Novia Scotia Among First Big-Name Victims in Global Supply-Chain Hack
