iPhone camera hack yields security researcher $75,000 from Apple

Apple recently paid a white hat hacker $75,000 after he unearthed a number of zero-day vulnerabilities that could have allowed a malicious actor to gain access to the camera on a user’s iPhone or MacBook.

Originally brought to light via Forbes, a former Amazon security engineer named Ryan Pickren was curious about exploring and finding potential security loopholes on the iPhone.

The report reads in part:

During December 2019, Pickren decided to put the notion that “bug hunting is all about finding assumptions in software and violating those assumptions to see what happens” to the test. He opted to delve into Apple Safari for iOS and macOS, to “hammer the browser with obscure corner cases” until weird behavior was uncovered. Pickren focused on the camera security model, which he readily admits was “pretty intense.”

Indeed, Apple really locks down the iPhone camera and requires explicit permission from users anytime a third-party app wants to access it. Pickren, though, discovered that explicit permission is not required when the request comes directly from another Apple application.

In turn, Pickren got to work and started looking for vulnerabilities in mobile Safari that would allow him to access the iPhone camera. Ultimately, Pickren found not one, but seven! zero-day vulnerabilities in mobile Safari. From there, Pickren managed to chain three of them together and gain access to the iPhone camera.

The vulnerabilities involved the way that Safari parsed Uniform Resource Identifiers, managed web origins and initialized secure contexts. Yes, this involved tricking a user into visiting a malicious website. Still, that website could then directly access the camera provided it had previously trusted a video conferencing site such as Zoom, for example. “A bug like this shows why users should never feel totally confident that their camera is secure,” Pickren said, “regardless of operating system or manufacturer.”

Pickren told Apple about his findings late last year, and the security exploit was ultimately fixed in late January with a Safari update.

Interestingly, Apple — in stark contrast to companies like Microsoft and Google — has historically shied away from paying researchers for unearthing bugs. That all changed a few years ago when Apple, back in August of 2016, instituted its first ‘bug bounty’ program.

Naturally, the payout Apple offers for undisclosed bugs varies on the severity and the type of application involved. For instance, Apple will pay $100,000 for a bug involving a lock screen bypass. That number jumps to $250,000 for an attack capable of extracting user data. The biggest payout Apple has is $1,000,000, a prize reserved for anyone who can implement an advanced network attack with no user interaction.

The matrix below highlights a few of the payout options:

Image Source: LetsGoDigital, YouTube