Apple Pays Hacker Who Found Seven Zero-Days $75000

Joanna Estrada
April 5, 2020

Apple has grown its bug bounty program last December in order to accept certain vulnerabilities for the betterment of its products making a healthier relationship with users and outside security researchers. Just by using three of these zero-day vulnerabilities, the ethical hacker has managed to successfully hack the iPhone camera or any iOS or macOS camera for that matter, according to a report published by Forbes.

During December 2019, Pickren chose to put the notion that "bug hunting is all about finding assumptions in software and violating those assumptions to see what happens" to the test.

According to reports, security researcher Ryan Pickren discovered the vulnerabilities in Safari after he made a decision to "force the browser with obscure corner cases" until he began to display odd behavior.

Security expert Ryan Pickren, who uncovered security vulnerabilities for Apple, says Safari encourages users to save their site access permissions preferences. He focused on camera security, despite it being incredibly strong.

The vulnerabilities involved the way Safari parsed the Uniform Resource Identifiers, managed web sources, and initialized secure contexts. The remaining four vulnerabilities were less severe and fixed by Apple in the Safari 13.1 release on March 24.

"Put simply-the bug tricked Apple into thinking a malicious website was actually a trusted one". The website would then enable him to hack into the user's camera under the guise of trusted video conferencing websites which had earlier gained access to the phone's camera according to the Forbes report. "A bug like this shows why users should never feel completely confident that their camera is secure", Pickren said, "regardless of operating system or manufacturer".

Interestingly, Apple - in stark contrast to companies like Microsoft and Google - has historically shied away from paying researchers for unearthing bugs.

Despite having discovered a zero-day, Pickren was far from the maximum amount paid by Apple, which offers up to $1.5 million for more serious vulnerabilities. Prior to that, Apple's bug bounty program was invitation-based, and non-iOS devices were not included. That number jumps to $ 250,000 for an attack capable of extracting user data.

A life long Mac user and Apple enthusiast, Yoni Heisler has been writing about Apple and the tech industry at large for over 6 years. Her writing has appeared on Edible Apple, Network World, MacLife, Macworld UK, and more recently, TUAW.

Other reports by Click Lancashire

Discuss This Article