Apple has eliminated a number of serious flaws that allowed an iPhone’s camera to be hijacked.
According to a new report from Forbes, security researcher Ryan Pickren discovered seven zero-day vulnerabilities during a “pretty intense” bug-hunting expedition in Safari. He was paid $75,000 USD through Apple’s Bug Bounty Program for his efforts.
Pickren starter to “hammer” Apple’s Safari browser for iOS and macOS to uncover weird behavior in December 2019, particularly in relation to camera security. Eventually, he discovered seven zero-day vulnerabilities in Safari.
He reportedly used just three of these vulnerabilities to then construct a kill chain that successfully hijacks any iOS or macOS camera. The vulnerabilities involved the way that Safari parsed Uniform Resource Identifiers, managed web origins and initialized secure contexts. By tricking a user into visiting a malicious website, it could then directly access the camera provided it had previously trusted a video conferencing site such as Zoom, for example.
“A bug like this shows why users should never feel totally confident that their camera is secure,” Pickren said, “regardless of operating system or manufacturer.”
Picken reported his discoveries through Apple’s Bug Bounty Program in December 2019. Apple validated all seven bugs and shipped a fix for the camera kill chain a few weeks later. The camera exploit was patched in Safari 13.0.5, which was released on January 28. The remaining zero-day vulnerabilities, which Apple judged to be less severe, were patched in Safari 13.1, which was released on March 24.
Apple paid Pickren $75,000 for discovering these vulnerabilities through its Bug Bounty Program, which pays security researchers up to $1 million USD, depending on the severity of the security flaw.
“I really enjoyed working with the Apple product security team when reporting these issues,” Pickren told Forbes. “The new bounty program is absolutely going to help secure products and protect customers. I’m really excited that Apple embraced the help of the security research community.”