Bugs that let sites hijack Mac and iPhone cameras fetch $75k bounty

by
Dan Goodin
from Ars Technica - All content on (#51PFP)
iphone-camera-hijack-800x432.jpg

Enlarge (credit: Ryan Pickren)

A security bug that gave malicious hackers the ability to access the cameras of Macs, iPhones, and iPads has fetched a $75,000 bounty to the researcher who discovered it.

In posts published here and here, researcher Ryan Pickren said he discovered seven vulnerabilities in Safari and its Webkit browser engine that, when chained together, allowed malicious websites to turn on the cameras of Macs, iPhones, and iPads. Pickren privately reported the bugs, and Apple has since fixed the vulnerabilities and paid the researcher $75,000 as part of the company's bug bounty program.

Apple tightly restricts the access that third-party apps get to device cameras. For Apple apps, the restrictions aren't quite as stringent. Even then, Safari requires users to explicitly list the sites that are allowed camera access. And beyond that, cameras can only have access to those sites when they are delivered in a secure context, meaning when the browser has high confidence the page is being delivered through an HTTPS connection.

Read 6 remaining paragraphs | Comments

index?i=NzpaEYJvngI:YOtimKVmWtQ:V_sGLiPB index?i=NzpaEYJvngI:YOtimKVmWtQ:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments