A white hat hacker says he has earned $75,000 from Apple for reporting several Safari vulnerabilities that can be exploited to hijack the camera and microphone of devices running iOS or macOS.
Researcher Ryan Pickren identified a total of seven vulnerabilities in Apple’s Safari web browser, three of which can be exploited to spy on users through the camera and microphone of their iPhone, iPad or Mac computer. The attack only requires the targeted user to access a malicious website — no other interaction is needed.
Apple patched the vulnerabilities that allow hackers to spy on users in January, while the other flaws were fixed in March. Pickren said his exploit fell into the “Network Attack without User Interaction: Zero-Click Unauthorized Access to Sensitive Data” category in Apple’s bug bounty program. He earned $75,000 for his findings, but the top reward in this category is $500,000.
According to Pickren, the flaws are related to Apple’s decision to allow users to permanently save security settings on a per-website basis. An attacker can set up a malicious website that gains access to the camera and microphone by claiming to be a trusted video conferencing service such as Zoom or Skype.
“Put simply – the bug tricked Apple into thinking a malicious website was actually a trusted one. It did this by exploiting a series of flaws in how Safari was parsing URIs, managing web origins, and initializing secure contexts,” the researcher explained in a blog post summarizing his findings.
He added, “If a malicious website strung these issues together, it could use JavaScript to directly access the victim’s webcam without asking for permission. Any JavaScript code with the ability to create a popup (such as a standalone website, embedded ad banner, or browser extension) could launch this attack.”
Pickren has also published a lengthy blog post with technical information about the vulnerabilities. He has also made available proof-of-concept (PoC) exploit code and demos.
This is not the first time Apple has patched vulnerabilities that can be exploited to spy on users. Last year, the company fixed a vulnerability in FaceTime that could have given hackers access to a device’s camera and microphone.
Related: macOS Vulnerability Leaks Safari Data
Related: New York Investigating Apple’s Response to FaceTime Spying Bug
Related: Flaw in Walkie-Talkie App on Apple Watch Allows Spying