Archive

Hacking the iOS/macOS webcam – Apple pays out $75,000 to bug hunter

A vulnerability researcher has received a bug bounty after discovering security holes in Apple’s software that could allow malicious parties to hijack an iPhone or Mac user’s camera and spy upon them.

Bug hunter Ryan Pickren is richer to the tune of $75,000 after responsibly disclosing seven zero-day vulnerabilities in the Apple Safari browser for macOS and iOS, three of which could be combined into a camera-hijacking kill chain.

Pickren was able to exploit his knowledge that, unlike third-party apps, Apple’s own software did not prompt an alert box that they were trying to access the camera and microphone.

As the researcher explains in a highly technical blog post, all apps – apart from Apple’s own – require permission to be explicitly granted to access the camera and microphone.

Pickren says that this is “great for web-based video conferencing apps such as Skype or Zoom” – but what about Apple’s browser, Safari?

After what he described as “pretty intense” research, Pickren discovered that if a Safari user could be tricked into visiting a boobytrapped website containing malicious Javascript, their camera and microphone could be compromised.

Pickren was able to demonstrate that the attack worked on both the macOS and iOS versions of Safari 13.0.4.

Fortunately Pickren did not make his discoveries public, but instead responsibly disclosed details of the zero-day vulnerabilities he found to Apple in December 2019, via its bug bounty program.

As Forbes reports, Apple released a version of Safari (13.0.5) on January 28 2020 which addressed the three zero-day vulnerabilities exploited in the camera hijacking attack.

The rest of the zero-day vulnerabilities, deemed less serious than those used in the camera hijack, were patched in version 13.1 of Safari released last month.

There is no evidence that malicious hackers exploited the vulnerability to seize control of iPhone and Mac users’ devices to spy upon them, but it’s also impossible to prove that no-one before Pickren had uncovered the flaw.

Considering that so many computer and smartphone users have a camera in their devices that is pointing at them all of the time, it’s essential that flaws like this are properly patched and fixed, and Pickren deserves every cent of that $75,000 reward for handling his findings responsibly.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.