Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple Paid Hacker $75,000 for Uncovering Zero-Day Camera Exploits in Safari

MacRumors

MacRumors

macrumors bot
Original poster
Apr 12, 2001
68,537
39,377


Apple paid out $75,000 to a hacker for identifying multiple zero-day vulnerabilities in its software, some of which could be used to hijack the camera on a MacBook or an iPhone, according to Forbes.

ipadprocamerabumps.jpg

A zero-day vulnerability refers to a security hole in software that is unknown to the software developer and the public, although it may already be known by attackers who are quietly exploiting it.

Security researcher Ryan Pickren reportedly discovered the vulnerabilities in Safari after he decided to "hammer the browser with obscure corner cases" until it started showing weird behavior.

The bug hunter found seven exploits in all. The vulnerabilities involved the way that Safari parsed Uniform Resource Identifiers, managed web origins and initialized secure contexts, and three of them allowed him to get access to the camera by tricking the user to visit a malicious website.
"A bug like this shows why users should never feel totally confident that their camera is secure," Pickren said, "regardless of operating system or manufacturer."
Click to expand...
Pickren reported his research through Apple's Bug Bounty Program in December 2019. Apple validated all seven bugs immediately and shipped a fix for the camera kill chain a few weeks later. The camera exploit was patched in Safari 13.0.5, released January 28. The remaining zero-day vulnerabilities, which Apple judged to be less severe, were patched in Safari 13.1, released on March 24.

Apple opened its bug bounty program to all security researchers in December 2019. Prior to that, Apple's bug bounty program was invitation-based and non-iOS devices were not included. Apple also increased the maximum size of the bounty from $200,000 per exploit to $1 million depending on the nature of the security flaw.

When submitting reports, researchers must include a detailed description of the issue, an explanation of the state of the system when the exploit works, and enough information for Apple to reliably reproduce the issue.

This year, Apple plans to provide vetted and trusted security researchers and hackers with "dev" iPhones, or special iPhones that provide deeper access to the underlying software and operating system that will make it easier for vulnerabilities to be discovered.

These iPhones are being provided as part of Apple's forthcoming iOS Security Research Device Program, which aims to encourage additional security researchers to disclose vulnerabilities, ultimately leading to more secure devices for consumers.

Article Link: Apple Paid Hacker $75,000 for Uncovering Zero-Day Camera Exploits in Safari
 
Article Link
https://www.macrumors.com/2020/04/03/apple-paid-hacker-camera-exploits-safari/
Last edited:
PhillyGuy72 said:
"Apple also increased the maximum size of the bounty from $200,000 per exploit to $1 million depending on the nature of the security flaw."

Give this person the full $1mil.! A camera exploit (the ultimate privacy intruder) seems pretty big when it comes to a 'security flaw.'
Click to expand...
This bug squishing bounty program is clearly a good thing and camera is bad, however the camera has to "see you". What would be worse is access to the microphone. And as somebody above said, physical kill switches would be great, Apple won't do them.

But I'm not resorting to electric tape all over the place on my iphone/ipad.
 
  • Like
Reactions: DeepIn2U
"This year, Apple plans to provide vetted and trusted security researchers and hackers with "dev" iPhones, or special iPhones that provide deeper access to the underlying software and operating system that will make it easier for vulnerabilities to be discovered."

This sounds like a very good idea.
 
If the guy found all these bugs in 3 months or less, that sounds like a pretty sweet payday to me.

If he spent all year to find them, kind of a lame payout.
 
PhillyGuy72 said:
"Apple also increased the maximum size of the bounty from $200,000 per exploit to $1 million depending on the nature of the security flaw."

Give this person the full $1mil.! A camera exploit (the ultimate privacy intruder) seems pretty big when it comes to a 'security flaw.'
Click to expand...

I think your imagination is lacking if you can't think of a variety of camera exploits, some worse than others.

I can turn any iPhone camera on, control its focus and zoom, and capture video + audio and send it anywhere I want without any user interaction needed would be a lot worse than I can have a website that can send a single blurry image from their camera without their permission when they visit it.
 
  • Like
Reactions: Justanotherfanboy
The iPhone needs a camera light hardwired to the camera itself just like the Mac so that exploits like this would at least be noticeable.

So only $75,000 for an exploit that can allow remotely accessing the camera on the Mac or iPhone? Then what in the hell is a $1,000,000 bounty for?
 
  • Like
Reactions: adamdport and HailstormX
$75k makes me wish I knew how to do what that guy can do. I would be happy with the payout and a few of those pay the house off.
 
macduke said:
The iPhone needs a camera light hardwired to the camera itself just like the Mac so that exploits like this would at least be noticeable.

So only $75,000 for an exploit that can allow remotely accessing the camera on the Mac or iPhone? Then what in the hell is a $1,000,000 bounty for?
Click to expand...
Remote root access, allowing an attacker complete takeover of the system, including deleting the admin account, changing password, etc.
 
  • Like
Reactions: macduke, stylinexpat, sideshowuniqueuser and 6 others
I’m assuming this would bypass the Safari preferences of webcam / mic being disabled.
 
PhillyGuy72 said:
"Apple also increased the maximum size of the bounty from $200,000 per exploit to $1 million depending on the nature of the security flaw."

Give this person the full $1mil.! A camera exploit (the ultimate privacy intruder) seems pretty big when it comes to a 'security flaw.'
Click to expand...
That million would be for something like breaching the secure enclave.
 
  • Like
Reactions: freedomlinux
good to have real hackers help catch hackers
good aapl is open to this
and trying to vet out confederates
reminds me of ww2 and cold war double agents
 
The Oak said:
Considering the median US income is around $60k ... $75k is more than a year's work for most Americans. I definitely would not complain.
Click to expand...

It's different for somebody who is a security researcher, somebody who is in high demand. This guy likely could get a job at a security consulting firm for $150k easy (and indeed his LinkedIn says he used to work for Amazon as a penetration tester).

You also have to consider the guy's overhead. Basically as a self-employed consultant you have to pay your own retirement, healthcare, sick and vacation time, administrative and legal stuff, and also take into account the time you spend unemployed, looking for work. Add on top the hardware he has to buy. All of this stuff would normally be covered for you by a conventional employer. This isn't bad in itself, but rather you have to properly account for it.

That said, it probably is fair if he spent a reasonable amount of time on it, i.e. two or so month's worth of work.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back