Researcher claims $75K payout from Apple for iPhone camera hack

Apple has paid a cybersecurity researcher $75,000 for a software exploit chain used to access an iPhone camera and microphone, the researcher said this week.

They are the kind of invasive capabilities that a spyware vendor would drool over. But Ryan Pickren, an Atlanta-based white-hat hacker, worked with Apple’s bug bounty program to get them fixed.

“I had some experience looking for bugs in [Apple’s web browser] Safari before they launched their bug bounty program,” Pickren told CyberScoop in an email, describing why he took on what he called “two weeks of intense research.”

Pickren figured out how to trick a Safari browser into serving up malicious code to infiltrate the iPhone camera and steal browser passwords. He did it by abusing the trust the iPhone was placing in Safari websites — trust that the device didn’t place in non-native applications. The malicious Safari website offered Pickren and his chain of exploits direct access to the iPhone camera.

“The camera security model in iOS and macOS is pretty intense,” Pickren wrote in a blog post demonstrating the hack, because “each app must be explicitly granted camera/microphone permission.” He uncovered seven previously, undisclosed vulnerabilities, or “zero-days,” but he only needed three for the webcam hack.

He demonstrated the exploit for Apple engineers. They saw enough to pay him $75,000 for flagging the issues, which have been fixed in the latest versions of Safari. Apple did not respond to a request for comment. Pickren said he hasn’t seen any sign of malicious hackers exploiting the vulnerabilities.

Pickren has been a prolific contributor to corporate bug bounty programs like that of United Airlines, and has set up a platform for security professionals to share proof-of-concept exploits.

His $75,000 prize is the latest payout in Apple’s bug bounty program, which the technology giant expanded last year, promising up to $1.5 million to researchers for the most sensitive of iOS exploits.