Researcher Hijacks iOS, macOS Camera with Three Safari Zero-Days

Yolanda Curtis
April 7, 2020

The flaw could let a hacker intrude into your device and hijack the camera and microphone without authentication.

Apple recently paid a white-hat hacker $ 75,000 after it discovered a series of zero-day vulnerabilities that could have allowed a malicious actor to gain access to the camera on a user's iPhone or MacBook.

Apple's reputation is unshakeable in the market when it comes to device security.

The ginormous "bug bounty" was awarded to former Amazon Web Services (AWS) security engineer Ryan Pickren.

This methodology side-stepped all of Apple's built-in security measures for your camera, your microphone, and even Safari itself by simply pretending to be another site or app that already has permission-a task Pickren described as simply "wiggling around" until he found a variation on a link that "confused" Safari. Pickren had years of experience hunting for Safari bugs and was, therefore, able to uncover weird behavior that he was able to combine into a kill chain after hammering the browser with obscure "corner cases". So, the attacker could have used the Safari bug to trick the user into clicking a malicious link and make the browser view it as an authentic website, granting them access. The website would then enable him to hack into the user's camera under the guise of trusted video conferencing websites which had earlier gained access to the phone's camera according to the Forbes report.

Pickren says some of these bugs are quite old, dating from "years ago", and that they probably weren't as risky then as they are now.

Back in August 2019 that Apple announced it was giving security researchers special iPhones to help them find security vulnerabilities.

The bugs (there were several of them) were found by security researcher Ryan Pickren.

Apple has already fixed such flaws in all its operating systems through updates in January and March 2020. Apple's largest payout is $ 1,000,000, a prize reserved for anyone who can implement an advanced network attack without user interaction.

Other reports by iNewsToday