Apple Paid Hacker $75,000 for Uncovering Zero-Day Camera Exploits in Safari

Apple paid out $75,000 to a hacker for identifying multiple zero-day vulnerabilities in its software, some of which could be used to hijack the camera on a MacBook or an iPhone, according to Forbes.

ipadprocamerabumps
A zero-day vulnerability refers to a security hole in software that is unknown to the software developer and the public, although it may already be known by attackers who are quietly exploiting it.

Security researcher Ryan Pickren reportedly discovered the vulnerabilities in Safari after he decided to "hammer the browser with obscure corner cases" until it started showing weird behavior.

The bug hunter found seven exploits in all. The vulnerabilities involved the way that Safari parsed Uniform Resource Identifiers, managed web origins and initialized secure contexts, and three of them allowed him to get access to the camera by tricking the user to visit a malicious website.

"A bug like this shows why users should never feel totally confident that their camera is secure," Pickren said, "regardless of operating system or manufacturer."

Pickren reported his research through Apple's Bug Bounty Program in December 2019. Apple validated all seven bugs immediately and shipped a fix for the camera kill chain a few weeks later. The camera exploit was patched in Safari 13.0.5, released January 28. The remaining zero-day vulnerabilities, which Apple judged to be less severe, were patched in Safari 13.1, released on March 24.

Apple opened its bug bounty program to all security researchers in December 2019. Prior to that, Apple's bug bounty program was invitation-based and non-iOS devices were not included. Apple also increased the maximum size of the bounty from $200,000 per exploit to $1 million depending on the nature of the security flaw.

When submitting reports, researchers must include a detailed description of the issue, an explanation of the state of the system when the exploit works, and enough information for Apple to reliably reproduce the issue.

This year, Apple plans to provide vetted and trusted security researchers and hackers with "dev" iPhones, or special iPhones that provide deeper access to the underlying software and operating system that will make it easier for vulnerabilities to be discovered.

These iPhones are being provided as part of Apple's forthcoming iOS Security Research Device Program, which aims to encourage additional security researchers to disclose vulnerabilities, ultimately leading to more secure devices for consumers.

Top Rated Comments

Skeith Avatar
19 months ago
Good Apple.
Score: 10 Votes (Like | Disagree)
Justanotherfanboy Avatar
19 months ago

The iPhone needs a camera light hardwired to the camera itself just like the Mac so that exploits like this would at least be noticeable.

So only $75,000 for an exploit that can allow remotely accessing the camera on the Mac or iPhone? Then what in the hell is a $1,000,000 bounty for?
Remote root access, allowing an attacker complete takeover of the system, including deleting the admin account, changing password, etc.
Score: 9 Votes (Like | Disagree)
The Oak Avatar
19 months ago
Considering the median US income is around $60k ... $75k is more than a year's work for most Americans. I definitely would not complain.
Score: 7 Votes (Like | Disagree)
tridley68 Avatar
19 months ago
$75000 sounds a little light he should have held out for more.
Score: 6 Votes (Like | Disagree)
MacBH928 Avatar
19 months ago
cameras and microphones should have physical disconnection
Score: 5 Votes (Like | Disagree)
JosephAW Avatar
19 months ago
I was just saying this about bandaids and electrical tape on cameras in the other forum post about the mic.

If you can't update your safari because Apple EOL and obsoleted your devices then this is the only work around.
Score: 4 Votes (Like | Disagree)

Top Stories

iphone 12 colors 2021

iPhone 12 Colors: Deciding on The Right Color

Thursday November 5, 2020 8:35 am PST by
The iPhone 12 and iPhone 12 Pro arrived last October in a range of color options, with entirely new hues available on both devices, as well as some popular classics. The 12 and 12 Pro have different color choices, so if you have your heart set on a particular shade, you might not be able to get your preferred model in that color. iPhone 12 mini and iPhone 12 The iPhone 12 mini and iPhone 12...
original iphone

Phil Schiller Says iPhone Was 'Earth-Shattering' Ten Years Ago and Remains 'Unmatched' Today

Monday January 9, 2017 7:15 am PST by
To commemorate the tenth anniversary of the iPhone, Apple marketing chief Phil Schiller sat down with tech journalist Steven Levy for a wide-ranging interview about the smartphone's past, present, and future. The report first reflects upon the iPhone's lack of support for third-party apps in its first year. The argument inside Apple was split between whether the iPhone should be a closed...
iCloud General Feature

iCloud+'s New Custom Email Domain Feature Now Available in Beta

Wednesday August 25, 2021 7:48 am PDT by
Starting with iOS 15, iPadOS 15, and macOS Monterey, users with a paid iCloud+ storage plan can personalize their iCloud email address with a custom domain name, such as johnny@appleseed.com, and the feature is now available in beta. iCloud+ subscribers interested in setting up a custom email domain can visit the beta.icloud.com website, select "Account Settings" under their name, and select ...
iPhone 13 Dummy Thumbnail 2

Full iPhone 13 Feature Breakdown: Everything Rumors Say We Can Expect

Tuesday August 31, 2021 7:50 am PDT by
With the launch of Apple's iPhone 13 lineup believed to be just a few weeks away, we have compiled all of the coherent rumors from our coverage over the past year to build a full picture of the features and upgrades coming to the company's new smartphones. For clarity, only explicit improvements, upgrades, and new features compared to the iPhone 12 lineup are listed. It is worth noting that...
iPhone 13 Dummy Thumbnail 2

Kuo: iPhone 13 to Feature LEO Satellite Communications to Make Calls and Texts Without Cellular Coverage

Sunday August 29, 2021 7:39 am PDT by
The iPhone 13 will feature low earth orbit (LEO) satellite communication connectivity to allow users to make calls and send messages in areas without 4G or 5G coverage, according to the reliable analyst Ming-Chi Kuo. In a note to investors, seen by MacRumors, Kuo explained that the iPhone 13 lineup will feature hardware that is able to connect to LEO satellites. If enabled with the relevant...
macbook air deals

Deals: Amazon Drops Price of 256GB M1 MacBook Air to New Low of $849.99 ($149 Off)

Friday August 27, 2021 6:16 am PDT by
Amazon today introduced new low prices on the M1 MacBook Air for both 256GB and 512GB storage options. To start, you can get the 256GB model for $849.99, down from an original price of $999.00. Note: MacRumors is an affiliate partner with Amazon. When you click a link and make a purchase, we may receive a small payment, which helps us keep the site running. Only Silver and Gold are...
maxresdefault

New MacBook Pro Models Coming at WWDC, Suggests Leaker

Monday May 24, 2021 1:27 pm PDT by
New MacBook Pro models are coming at WWDC, according to leaker Jon Prosser who has a mixed track record when it comes to predicting Apple's plans. Subscribe to the MacRumors YouTube channel for more videos. Prosser provided no additional information, but there are new 14 and 16-inch MacBook Pro models in the works. The new MacBook Pros will feature the most radical redesign to the MacBook Pro ...
calculatorapp

iOS 11 Bug: Typing 1+2+3 Quickly in the Calculator App Won't Get You 6

Tuesday October 24, 2017 2:03 pm PDT by
A bug in the built-in Calculator app in iOS 11 is getting some major attention this week, despite the fact that it's been around since iOS 11 was in beta testing. At issue is a calculator animation that causes some symbols to be ignored when calculations are entered in rapid succession. You can try it for yourself: Type 1+2+3 and then the equals sign into the Calculator app quickly. Due to...
maxresdefault

'Being James Bond' Retrospective Will Be Free to Watch Through Apple TV App

Tuesday August 31, 2021 8:25 am PDT by
Update 9/7/21: "Being James Bond" is now available to watch through the Apple TV app. Ahead of the theatrical release of James Bond film "No Time To Die" on October 8 in the United States, a 45-minute retrospective titled "Being James Bond" will be available to watch for free through the Apple TV app, according to Deadline. The story from MGM is said to feature Daniel Craig reflecting ...
ted lasso notchless phone

No, That Notchless iPhone Spotted in 'Ted Lasso' Isn't the iPhone 13

Tuesday August 31, 2021 2:15 am PDT by
Recent sightings of a notchless iPhone in highly popular Apple TV+ comedy "Ted Lasso" have led to sensational headlines suggesting this is a canny bit of product placement on Apple's part and that the iPhone 13 will be notchless. In actuality – and this could go without saying – the phone in question is very likely just showing a poorly superimposed display added in post-production. Notchless ...