Skip to main content

Flaw hunter bags $75,000 off Apple after duping Safari into spying through iPhone, Mac cameras without permission

posted onApril 7, 2020
by l33tdawg
The Register
Credit: The Register

Independent security researcher Ryan Pickren has revealed how a malicious website could hack Apple's Safari browser on iOS and macOS to spy on the user through the computer's camera without prompting for permission.

Pickren said Apple classified the bug as "one-click remote partial access to sensitive data," and awarded him $75,000 under the terms of its Security Bounty scheme.

Apple fixed the issues with Safari 13.1, crediting Pickren for three bug reports in the patch release notes. The three flaws mentioned by Apple are "a malicious iframe may use another website’s download settings"; "a download's origin may be incorrectly associated"; and "a file URL may be incorrectly processed". The fix is dated March 24, 2020 and the vulnerable version of Safari is 13.0.4, so if you still have that one, update it now. Pickren is the founder of the site BugPoC, designed for hosting proof-of-concept demos of security issues.

Source

Tags

Security Apple

You May Also Like

Recent News

Friday, November 29th

Tuesday, November 19th

Friday, November 8th

Friday, November 1st

Tuesday, July 9th

Wednesday, July 3rd

Friday, June 28th

Thursday, June 27th

Thursday, June 13th

Wednesday, June 12th

Tuesday, June 11th