Apple Pays Student Record-High $105,000 Bug Bounty for Uncovering Safari, iCloud Vulnerability

BY Chandraveer Mathur

Published 25 Jan 2022

MacBook half shut

Some developers have been rather upset with Apple’s Bug Bounty Program, but one student just collected a $105,000 payout for discovering a vulnerability. This is thought to be a record-high bounty. He was reportedly rewarded for showing Apple how bad actors could hack webcams on Apple devices and make them vulnerable to subsequent attacks.

Ryan Pickren, the cybersecurity student who unmasked the vulnerabilities, says they arise from various issues in iCloud and Safari. The issues allowed malicious websites to attack Apple devices and gain unrestricted access to online accounts such as Gmail, iCloud, and Paypal, among others. It would also give the attackers access to the device’s camera, microphone, and on-screen content.

The Bug Bounty Program can reward contributors up to $1 million, and Apple discloses the maximum bounty awarded per issue category. However, individuals who discover the bugs need not disclose their payouts. Pickren’s bounty is said to be $500 more than the previous highest reward the Cupertino giant gave out.

Earlier, Pickren discovered another iPhone and Mac camera vulnerability. In a detailed blog post, he adds that the newly-discovered issue could give bad actors full access to the device file system. Safari locally stores copies of websites in “webarchive” files. If attackers modify this file, they could wreak havoc. Pickren believes Apple considered it unlikely that an attacker would go to the lengths of downloading the victim’s webarchive file and editing it to attack.

“A startling feature of these files is that they specify the web origin that the content should be rendered in. This is an awesome trick to let Safari rebuild the context of the saved website, but as the Metasploit authors pointed out back in 2013 if an attacker can somehow modify this file, they could effectively achieve UXSS (universal cross-site scripting) by design.”

“Granted this decision was made nearly a decade ago when the browser security model wasn’t nearly as mature as it is today. Prior to Safari 13, no warnings were even displayed to the user before a website downloaded arbitrary files. So planting the webarchive file was easy.”

Apple has since patched the vulnerability and paid Pickren $105,000 for discovering it.