A cyber security student has shown Apple how hacking its Mac webcams can then also leave devices fully open to hackers, earning him $100,500 from the company's bug bounty program.
Ryan Pickren, who previously discovered an iPhone and Mac camera vulnerability, has been awarded what is believed to be Apple's largest bug bounty payout.
According to Pickren, the new webcam vulnerability concerned a series of issue with Safari and iCloud that he says Apple has now fixed. Before it was patched, a malicious website could launch an attack using these flaws.
In his full account of the exploit, Pickren explains it would give the attacker full access to all web-based accounts, from iCloud to PayPal, plus permission to use the microphone, camera, and screensharing. If the camera were used, however, its regular green light would still come on as normal.
Pickren reports that the same hack would ultimately mean that an attacker could gain full access to a device's entire filesystem. It would do so by exploiting Safari's "webarchive" files, the system the browser uses to save local copies of websites.
"A startling feature of these files is that they specify the web origin that the content should be rendered in," writes Pickren. "This is an awesome trick to let Safari rebuild the context of the saved website, but as the Metasploit authors pointed out back in 2013, if an attacker can somehow modify this file, they could effectively achieve UXSS [universal cross-site scripting] by design."
A user has to download such a webarchive file, and then also open it. According to Pickren, this meant Apple did not consider this a realistic hack scenario when it first implemented Safari's webarchive.
"Granted this decision was made nearly a decade ago, when the browser security model wasn't nearly as mature as it is today," says Pickren.
Tightening security
"Prior to Safari 13, no warnings were even displayed to the user before a website downloaded arbitrary files," he continued. "So planting the webarchive file was easy."
Apple has not commented on the bug, nor is it known if it has been actively exploited. But Apple has paid Pickren $100,500 from its bug bounty program, $500 more than previously reported pay outs.
The bug bounty program can officially award up to $1 million, and the company publishes a list of maximum sums per category of security issue reported. There is no requirement for security experts to publicly disclose how much they've been awarded.
So it's possible that Apple has paid out more than Pickren's $100,500. However, the company has previously been greatly criticized for paying less than its own maximums, as well as for being slow to patch reported bugs.
6 Comments
This discovery is certainly worth more than $100k. I have no clue how Apple values a discovered hack but given the potential exploits of this hack I’d say it is worth closer to $1 million than $100k.
A comically small payout from this multi-trillion dollar company for such an extremely serious exploit. This really makes me question how much Apple truly values their users security. Other smart, young hackers who discover similarly severe exploits will read about these pathetic payouts and instead seek out a 10x or larger payout from a malicious hacker group.
Is this the reason it is no longer possible to save a webarchive on safari 15 under Catalina?