Apple paid ethical hacker Ryan Pickren $75,000 for finding vulnerabilities in Apple’s browser Safari which allowed an attacker to hack the user’s camera according to media reports.
Pickren discovered seven zero-day vulnerabilities in Apple Safari, three of which enabled him to form an attack chain and successfully hijack the iPhone camera, Forbes reported.
Apple had upped its bug bounty program back in 2019, increasing the amount to $1.5 million for the most serious of iPhone hacks. Pickren, a former security engineer at Amazon Web Services (AWS) had set out to find vulnerabilities in the system as part of the bug bounty program.
He delved into the Apple Safari browser for iOS and macOS, to “hammer the browser with obscure corner cases” in order to uncover unusual behaviour. He was able to discover seven vulnerabilities and had used three of them to hack into the system’s camera security model.
Pickren focused on hacking into the camera by prompting the user to log into a malicious website on safari. The website would then enable him to hack into the user’s camera under the guise of trusted video conferencing websites which had earlier gained access to the phone’s camera according to the Forbes report.
He had then compiled his research and reported the same to Apple back in mid-December 2019, working with Apple’s security team to patch the vulnerabilities.
Apple fixed three of the flaws in its January 28 Safari 13.0.5 update and the remaining four vulnerabilities were patched in the Safari 13.1 released on March 24.