Apple has awarded a cybersecurity student $100,500 (roughly Rs 75,54,000) in bounty rewards for finding a vulnerability in the webcams on Mac computers. The student, Ryan Pickren, spoke about the vulnerability in a blog post saying that hackers can achieve access to webcams on Mac computers by exploiting issues with iCloud Sharing and Safari 15. These vulnerabilities are now fixed by Apple, Pickren said in his blog post. The $100,500 bounty is reportedly the largest bug bounty payout from the Cupertino-based giant.
Pickren had previously also discovered an iPhone and Mac camera vulnerability. He said that before the issue was fixed by Apple, a malicious website could launch an attack using these flaws. In his blog post, Pickren explained that the vulnerability will give the attacker full access to all web-based accounts from iCloud to PayPal, plus the permission to use the microphoe, camera, and screensharing on Mac computers. He said that the same hack would ultimately mean that an attacker could gain full access to a device’s entire filesystem by exploiting Safari’s “webarchive” files.
“A startling feature of these files is that they specify the web origin that the content should be rendered in. This is an awesome trick to let Safari rebuild the context of the saved website, but as the Metasploit authors pointed out back in 2013, if an attacker can somehow modify this file, they could effectively achieve UXSS [universal cross-site scripting] by design,” Pickren said in his blog post.
Apple has not commented on the vulnerablity yet, but the company has paid Pickren a sum of $100,500 from its bug bounty program. The bug bounty program from Apple can officially award up to $1 million (roughly Rs 7,51,00,000) to those who find bugs in the company’s software or gadgets. Apple publishes a list of maximum sums per category of security issue reports.