Page Loader
Home / News / Technology News / Hacker flags Safari vulnerabilities, wins Rs. 57 lakh from Apple
Hacker flags Safari vulnerabilities, wins Rs. 57 lakh from Apple

Hacker flags Safari vulnerabilities, wins Rs. 57 lakh from Apple

By Shubham Sharma
Apr 05, 2020
08:51 pm
What's the story

Apple encourages security researchers to flag vulnerabilities in its products and is also willing to pay some really good money for that. Case in point: the ethical hacker who has just won Rs. 57 lakh ($75,000) from the Cupertino giant for flagging as many as seven critical flaws in its Safari browser. Here's all you need to know about it.

Award

Bounty to former AWS security engineer Ryan Pickren

The ginormous "bug bounty" was awarded to former Amazon Web Services (AWS) security engineer Ryan Pickren. He had looked at Apple's Safari ecosystem and discovered at least seven critical zero-day vulnerabilities posing a threat to the security of users. However, instead of using them for attacks, he reported the bugs to the company, ensuring that they were fixed before anyone could exploit them.

Details

Three issues allowed remote hijacks

Of the seven issues uncovered, three opened a way to hijack the camera and microphone of iPhones, iPads, and Macs. The exact exploit has not been detailed, but the issues largely revolved around tricking the user into opening a malicious website, which, when opened, could access the camera if it had previously trusted video-conferencing platforms like Zoom and Skype.

Report

Bugs were reported in mid-December

Pickren says he had informed Apple about the vulnerabilities back in mid-December and the company was quick to issue the required fixes and release the reward. The glitches were not disclosed until earlier this week, the researcher added, noting this is the first reward he has won under the bug bounty program that Apple recently expanded to accept entries for macOS issues.

Response

'Users should not think their cameras are fully secured'

Speaking to Forbes, Pickren stated, "A bug like this shows why users should never feel totally confident that their camera is secure, regardless of operating system or manufacturer." He added, "I really enjoyed working with the Apple product security team when reporting these issues. The new bounty program is absolutely going to help secure products and protect customers."