Apple pays record $100,500 to student who found Mac webcam hack

Posted:
in macOS edited January 25
A cyber security student has shown Apple how hacking its Mac webcams can then also leave devices fully open to hackers, earning him $100,500 from the company's bug bounty program.




Ryan Pickren, who previously discovered an iPhone and Mac camera vulnerability, has been awarded what is believed to be Apple's largest bug bounty payout.

According to Pickren, the new webcam vulnerability concerned a series of issue with Safari and iCloud that he says Apple has now fixed. Before it was patched, a malicious website could launch an attack using these flaws.

In his full account of the exploit, Pickren explains it would give the attacker full access to all web-based accounts, from iCloud to PayPal, plus permission to use the microphone, camera, and screensharing. If the camera were used, however, its regular green light would still come on as normal.

Pickren reports that the same hack would ultimately mean that an attacker could gain full access to a device's entire filesystem. It would do so by exploiting Safari's "webarchive" files, the system the browser uses to save local copies of websites.

"A startling feature of these files is that they specify the web origin that the content should be rendered in," writes Pickren. "This is an awesome trick to let Safari rebuild the context of the saved website, but as the Metasploit authors pointed out back in 2013, if an attacker can somehow modify this file, they could effectively achieve UXSS [universal cross-site scripting] by design."

A user has to download such a webarchive file, and then also open it. According to Pickren, this meant Apple did not consider this a realistic hack scenario when it first implemented Safari's webarchive.

"Granted this decision was made nearly a decade ago, when the browser security model wasn't nearly as mature as it is today," says Pickren.

Tightening security

"Prior to Safari 13, no warnings were even displayed to the user before a website downloaded arbitrary files," he continued. "So planting the webarchive file was easy."

Apple has not commented on the bug, nor is it known if it has been actively exploited. But Apple has paid Pickren $100,500 from its bug bounty program, $500 more than previously reported pay outs.

The bug bounty program can officially award up to $1 million, and the company publishes a list of maximum sums per category of security issue reported. There is no requirement for security experts to publicly disclose how much they've been awarded.

So it's possible that Apple has paid out more than Pickren's $100,500. However, the company has previously been greatly criticized for paying less than its own maximums, as well as for being slow to patch reported bugs.

Read on AppleInsider

Comments

  • Reply 1 of 5
    This discovery is certainly worth more than $100k. I have no clue how Apple values a discovered hack but given the potential exploits of this hack I’d say it is worth closer to $1 million than $100k.
    sconosciutograndact73
  • Reply 2 of 5
    tedz98 said:
    This discovery is certainly worth more than $100k. I have no clue how Apple values a discovered hack but given the potential exploits of this hack I’d say it is worth closer to $1 million than $100k.
    Sure made me wonder what sort of security vulnerability would be worth $1M to Apple. This one seemed pretty effing significant.
    edited January 26 watto_cobra
  • Reply 3 of 5
    A comically small payout from this multi-trillion dollar company for such an extremely serious exploit. This really makes me question how much Apple truly values their users security. Other smart, young hackers who discover similarly severe exploits will read about these pathetic payouts and instead seek out a 10x or larger payout from a malicious hacker group.

    edited January 26 muthuk_vanalingamgrandact73
  • Reply 4 of 5
    Is this the reason it is no longer possible to save a webarchive on safari 15 under Catalina?
  • Reply 5 of 5
    davidwdavidw Posts: 1,538member
    tedz98 said:
    This discovery is certainly worth more than $100k. I have no clue how Apple values a discovered hack but given the potential exploits of this hack I’d say it is worth closer to $1 million than $100k.
    Sure made me wonder what sort of security vulnerability would be worth $1M to Apple. This one seemed pretty effing significant.
    How about one that don't require the user to download a file and then install it? 

    I imagine any good hacker can take over any part of a computer, if they can convince the user to download a malicious file and then install it. 

    A more significant security bug would be one that only required the user to click on an email link or a link on a website or thru a network connection, without first having to install a downloaded a file. 

    What makes this serious is how easily a hacker can take over so many parts of a computer by just exploiting one security bug in Safari.  But the hard part still, is to convince the user to download the malicious file and install it, in the first place. Not only must the user have admin privileges and the password to install it, the file will most likely have to bypass the "unknown developer" warning, before it can be downloaded and open.  MacOS (OS X) is not Windows.  
    watto_cobra
Sign In or Register to comment.