Cyber security student, Ryan Pickren, demonstrated how hacking webcams can leave the Mac device open to more hackers. He was participating in the company’s bug bounty program and was awarded $100,500 for the discovery. This was Apple’s largest bug bounty payout yet.
In a report by Apple Insider, Pickren recognized the new webcam vulnerability was concerned with Safari and iCloud. This gave hackers access to all web-based accounts, including iCloud and PayPal, and further permissions to use the microphone, camera, and screensharing. Safari’s ‘web archive’ files would have been exploited by hackers. Pickren says, “A startling feature of these files is that they specify the web origin that the content should be rendered in. This is an awesome trick to let Safari rebuild the context of the saved website, but as the Metasploit authors pointed out back in 2013, if an attacker can somehow modify this file, they could effectively achieve UXSS [universal cross-site scripting] by design.”
Apple has not commented on the bug and it is not known how many people were exploited, but the company has since then fixed the issue. Pickren received $500 more than previous payouts by Apple, but the tech company can officially award around $1 million in the program.