Apple awarded $75,000 to hacker for iPhone, Mac camera exploits

Ruben Fields
April 7, 2020

Although hackers would only make use of three of the bbugs in order to control the webcam as envisioned by Pickren, he has still found another flaw which he submitted as well. The camera exploit was patched in Safari 13.0.5, released on January 28.

Apple's bug bounty program's scope was expanded in December to cover more devices and products.

Pickren discovered seven zero-day vulnerabilities in Apple Safari, three of which enabled him to form an attack chain and successfully hijack the iPhone camera, Forbes reported. However, Pickren found that explicit permission is not required when the request comes directly from another Apple app. Former Amazon Web Services security engineer and ethical hacker Ryan Pickren proved that your iPhone's camera could be hacked and used by malicious third parties.

The vulnerabilities were discovered last December when Pickren made a decision to "hammer the browser with obscure corner cases" until odd behavior was uncovered.

The person responsible for identifying the vulnerabilities in Safari was hacker Ryan Pickren.

UK PM fights worsening virus symptoms
It comes as the number of coronavirus hospital deaths in the United Kingdom reached 5,373 - an increase of 439 in a day. Throughout the day officers and police vehicles could be seen entering and exiting the central London hospital.

Pickren notified Apple about the vulnerabilities in mid-December previous year and Apple was fairly quick to validate all the seven bugs and issued a fix for the three annoying camera bugs by updating the Safari web browser to version 13.0.5 a few weeks later. Still, that website could directly access the camera, provided you've previously relied on a video conferencing site like Zoom, for example.

Pickren says some of these bugs are quite old, dating from "years ago", and that they probably weren't as unsafe then as they are now.

All zero-days were effectively patched as of the latest Safari update, 13.1, which was released on March 24.

Speaking to Forbes, Pickren stated, "A bug like this shows why users should never feel totally confident that their camera is secure, regardless of operating system or manufacturer".

Naturally, the payment that Apple offers for undisclosed errors varies depending on the severity and type of application involved. Her writing has appeared on Edible Apple, Network World, MacLife, Macworld UK, and more recently, TUAW.

Other reports by

Discuss This Article