According to Forbes, Apple paid hackers $75,000 to identify several zero-day vulnerabilities in its software, some of which could be used to hijack cameras on MacBooks or iPhones. Zero-day vulnerabilities are software vulnerabilities that software developers and the public do not know about, and those that could have been known to those exploited by the attackers who quietly exploited it.
Security researcher Ryan Pickren reportedly discovered the vulnerability in Safari after deciding to hit the browser with a “fuzzy corner case” until it began to show bizarre behavior. The vulnerability hunter found a total of seven vulnerabilities. These vulnerabilities relate to safari’s way of parsing unified resource identifiers, managing web feeds, and initializing security contexts, three of which can be used to trick users into accessing malicious websites and allow ingeners to access cameras.
Pickren reported his research in December 2019 through Apple’s Vulnerability Bounty Program. Apple immediately verified all seven vulnerabilities and released a fix for the camera a few weeks later. The camera vulnerability was patched in Safari 13.0.5, released on January 28. The remaining, less serious zero-day vulnerabilities have been patched in Safari 13.1, released on March 24.
Apple opened its vulnerability bounty program to all security researchers in December 2019. Previously, Apple’s Vulnerability Bounty program was invitation-based and did not include non-iOS devices. Apple also raised the maximum reward for each vulnerability from $200,000 to $1 million, depending on the nature of the vulnerability.
When submitting a report, researchers must include a detailed description of the problem, an explanation of the system state when the vulnerability works, and sufficient information to enable Apple to reliably reproduce the problem. This year, Apple plans to offer censored and trusted security researchers and hackers “developed” versions of iPhones or special iPhones to provide deeper access to the underlying software and operating systems, making it easier to spot vulnerabilities.