Apple paid a cybersecurity student what’s thought to be a record-high $105,000 bug bounty. Why? He showed the company how hacking its webcams can render the devices fully vulnerable to further attacks.
Mac webcam hack: Issues with Safari and iCloud
Student Ryan Pickren, who previously discovered an iPhone and Mac camera vulnerability, said the new webcam vulnerability concerned a series of issues with Safari and iCloud. The flaws, now patched by Apple, could let malicious websites launch attacks.
Pickren further explained the problem would give an attacker full access to all web-based accounts, including big services like Gmail, iCloud and PayPal. It also would enable permission to use the microphone, camera and screen-sharing. Use of the camera might not go undiscovered, though, because the green indicator light would show as usual.
Full access to file system
Pickren noted such a hack could give an attacker unfettered access to a device’s full file system. The key involves exploiting Safari’s “webarchive” files. That’s the system the browser uses to save local copies of websites.
“A startling feature of these files is that they specify the web origin that the content should be rendered in,” Pickren wrote. “This is an awesome trick to let Safari rebuild the context of the saved website, but as the Metasploit authors pointed out back in 2013, if an attacker can somehow modify this file, they could effectively achieve UXSS [universal cross-site scripting] by design.”
For a successful exploit, a hacker must download such a webarchive file — and also open it. Pickren suggested that’s why Apple considered it an unlikely hacking scenario when it first put Safari’s webarchive in place.
“Granted this decision was made nearly a decade ago, when the browser security model wasn’t nearly as mature as it is today,” Pickren said. “Prior to Safari 13, no warnings were even displayed to the user before a website downloaded arbitrary files. So planting the webarchive file was easy.”
Apple paid out $100,500
Apple offered no comment on the bug, including whether anyone exploited it before or after its discovery. But the Cupertino tech giant paid Pickren $100,500 from its bug bounty program. That’s $500 more than previously reported payouts.
The program can award up to $1 million. Apple publishes a list of maximum sums per security-issue category reported. Security experts are not required to disclose their award amounts.
That said, at some point Apple may have paid out more than the $100,500 for Pickren. In the past, critics dinged the company for undercutting its own maximum payout amounts — though not always — and for being slow at times to patch security holes.
