BIGGEST $100,500 Apple Bug Bounty Reward Paid To Student Over Mac Webcam Bug

Ryan Picker, a cybersecurity student, was paid the largest Apple bug bounty reward ever for revealing a Mac webcam bug that opened doors for hackers

Ryan Pickren, a cybersecurity student and former Amazon Web Services security engineer, has uncovered a critical failure in Apple devices and bagged a $100,500 bug bounty. The bounty is the highest Apple bug bounty reward ever paid to anyone. Pickren is no stranger to Apple vulnerabilities, having discovered a vulnerability in iPhone and Mac cameras earlier in April 2020. Now he has uncovered another Mac webcam bug that allows hackers to break into the device and gain access to sensitive user information.

According to a report by AppleInsider, this bug in the Apple Mac webcam was related to a series of issues with the iCloud and Safari browsers. Hackers could potentially attack millions of Apple users through these bugs and gain unauthorized access to information across multiple user accounts. Since then, Apple has solved these problems.

Also Read  Is Zootopia On Netflix (2022) - A Step by Step Guide

How did these bugs expose Apple’s security?

pickren Posted recently on his blog and detailed how this vulnerability would allow hackers to access details of user accounts such as Gmail, Facebook, Zoom and Paypal. Not only did the vulnerability limit access to all web-based accounts and information, including iCloud, and allowed the use of webcam and microphone to watch and listen to everything the user might do. This revealed a very critical security flaw in all Apple devices, including Mac, iPhone and iPad. This eventually led to him winning the huge Apple bug bounty reward.

Pickren explained that it all started with abusing the Safari browser (Safari v15 when he tried this) and gaining access to the web archive files. Web archives are local storage for the Safari browser where it stores local copies of websites to access them faster.

“This is a great trick to make Safari rebuild the context of the saved website, but as the Metasploit authors pointed out in 2013, if an attacker can somehow modify this file, they can effectively achieve UXSS [universal cross-site scripting] by design,” Pickren wrote in his post.

Also Read  How To Check Wifi History On Iphone (2022) - Best Methods

What it meant was that a user downloads this web archive at the same time to open an archived website. And this is where a malicious website can gain access. Pickren said Apple did not consider this potential hacking scenario when developing Safari’s web archive functionality.

While Apple has not made a statement about these bugs, it has paid the bounty to Pickren. Interestingly, the Apple bug bounty program has been around for a while. According to the program, any hacker who can access sensitive user information will be awarded $100,000. Apple has exceeded that amount for the first time and paid Pickren a total reward of $100,500.

Arun Agarwal
I am Arun Agarwal, a passionate blogger and gamer. I love to share my thoughts on games and technology through blog posts. I’m also an avid reader of books about history, philosophy, science-fiction, and other genres as well as an anime fan. I like reading books that give me new perspectives or help me think differently about the world around us.